Forum Discussion
Azure MFA and Azure MFA Server side by side
Hello All,
Is it possible to use Azure Cloud MFA but for certain on Premise Apps which I'm not allowed or able to Publish through Azure App Proxy, use the Azure MFA Server within the same Tenant and same User IDs ? or do I have to choose one or the other ?
Best regards
U
12 Replies
Eli Shlomo – thanks for sharing the links.
Ueli Zimmermann - the Azure MFA feature program manager has some insightful comments on Reddit:
https://www.reddit.com/r/AZURE/comments/7r4324/azure_mfa_server_on_premise_lifecycle_roadmap/
“There isn't any engineering effort going into MFA server, and eventually it will end of life. All of our work is going into Azure MFA and features like conditional access policy...”
“Eventually, yes, Azure MFA Server will probably be deprecated in favour of the cloud-only Azure MFA service. However, we wouldn't do this until we have feature parity in cloud-only Azure MFA, and a reasonable migration path. We also wouldn't do this without advance notice: I'm not completely sure (I'll find out and report back), but I'm pretty sure this will be at least 1 year. There are still some features we haven't quite finished yet which are only available in Azure MFA Server but not in the cloud-only service (PIN mode, pre-registration, OATH token support, etc.), but we're working on it.”
So I wouldn’t be overly concerned if you’ve already deployed MFA Server, however to avoid migrating in the future, I’d recommend opting for the NPS extension or appliances that support direct Azure MFA integration.
Hope this help,
Matt
Correct information but Reddit is not yet dependable information and not official by Microsoft, so for the different products its recommended to work according to Microsoft lifecycle information.
I recommended avoiding working with NPS because isn't secure enough and it's better to work on top of SAML with Azure AD. (from experience on the field, the integration with NPS will fail on a first pen test because of the NPS itself and not the Azure AD)
Eli Shlomo Sorry, I'll have to politely disagree :-)
Looking at authentication from an architectural perspective, now that basic authentication can be blocked using conditional access, customers can start to move away from ADFS and start using Password Hash Sync…. but that's a topic for another thread :-)
Righty hoo, NPS - completely agree the documentation is a little cryptic and if implemented incorrectly, could lead to credentials being sent over the wire in clear text.
- In most cases we don’t need to perform primary auth against AD a second time or even at all. So, we set the policy to “Accept users without validating credentials”. (remember the NPS extension doesn't authentication users, it passes the request to the MFA Endpoint which triggers a user proof up - text, phone or auth app)
- Next, the NPS policy needs something to check, so we use a simple NASID condition, “MFA” as seen in the example below.
- As the RADIUS Access-Requests messages are processed without credential validation, we can switch the RAIDUS auth protocol to MSCHAP v2
There’s a few more things to tweak on Netscaler and Windows which I’ll post in a blog later this week.
Hello!
Please try to avoid deploying the MFA Server. This product will be deprecated in the not to distant future.
Have you considered using the Azure MFA NPS extension? I've recently deployed the extension for Citrix 2FA via Netscaler and it works really well. What workloads are you wanting to use MFA for?
Thanks, that sounds something I will check out more further.
With regards to your Statement. Is there already somewhere a little bit more evidence until when MS will Support MFA Server ?
at least for 2019, the product will not be retired but from time to time Microsoft deprecated some features
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/whats-new-archive
https://support.microsoft.com/en-us/help/4316957/products-reaching-end-of-support-for-2019
My recommendations to you if you're planning for the long run, it will be better to work with Azure AD as your IDP and manage all identity from one place, of course, you can connect many application, local VPN solutions and another environment to Azure AD and work with one identity.
Yes, you can mix and match the on-prem MFA server and Azure MFA enforcement for specific apps, and even bypass or force double-MFA as needed. You will have to take care of the ADFS claims rules configuration though, to avoid some issues.
- Thank you, we are currently use none specific Rules on ADFS except forward for MFA everything to Azure Cloud MFA Service. I would like to keep this way if possible and only utilize MFA Server for the stuff which does not pass ADFS directly. Example: we have Citrix NetScaler in front of On Premise Exchange 2016 which are able to use MFA Server for 2nd Factor. Exchange 2016 is Hybrid Configured with Exchange Online and we have Users there too which currently use ADFS/ Azure MFA Cloud based 2nd Factor. So the Way how still On-premise Users access the Environment is completely separated from WAP / ADFS. Is this possible or do I still need to somehow modify ADFS Claims ?
You need to create an ADFS rule that avoids the request for the traffic that not pass ADFS directly, but in this configuration, you may create a lot of maintenance and management issues around this approach.
Try to work with one IDP and point all application and requests to this IDP including on-premises.
