Apr 07 2020
- last edited on
Jul 24 2020
Is it possible to have applications published in Azure Enterprise Applications and use Azure AD password hash sync for authentication but pass off the MFA piece to DUO?
It states "What are the multifactor authentication options". Password has sync + Seamless SSO supports Azure MFA and Custom Controls with condtional access.
And Federation with ADFS supports "Third-party MFA" as well as the custom controls with conditonal access.
When I initially read this, I expected that DUO MFA is only supported with a ADFS federation. However, upon reading more on the custom controls, it appears that the MFA can be handed off to DUO for MFA and still use the Password Hash sync/Seamless SSO as the authentication?
Apr 07 2020 11:53 PM
Yes, it should be possible, although the experience is somewhat limited. And they're going to replace it with a new method, so read here in case you haven't seen it already: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/whats-new#upcoming-changes-to-c...
Apr 08 2020 06:08 AM
Thank you Vasil, I did see another posting after I posted this question: https://dirteam.com/sander/2020/03/25/announced-azure-mfa-to-offer-more-3rd-party-mfa-features/ . I'm still in question why/what it means exactly that ADFS is a requirement for 3rd party MFA while Seamless SSO with Hash Sync supports the custom controls. I guess it's because the Seamless SSO with custom controls and 3rd party MFA isn't truly seamless as dirteam pointed out?
Today, 3rd-party MFA solutions face the following limitations:
Apr 08 2020 08:09 AMSolution
Yup, and somewhere else was mentioned that they cannot satisfy the MFA claim either, which is important for some scenarios. In any case, you should check with Duo support as well.
Apr 08 2020 11:28 AM
@doewebYes this is possible. We are doing this now. We have DUO in Azure AD and are using password hash sync
Apr 08 2020 11:41 AM
So you have no ADFS federation, all of it is configured with a Seamless SSO w/password hash sync? Have you experienced any limitations in regards to user experiences?
Apr 08 2020 01:36 PM
@doewebWe are currently testing using staged rollout for password hash sync. We are using DUO as an MFA provider in Azure, and we are using conditional access policies to force MFA using DUO provider. Its working, however im a little unclear what the limitations are? I read the article you posted, but what scenario would limitations mentioned in the article apply to?
Apr 08 2020 01:43 PM
Check out: https://techcommunity.microsoft.com/t5/azure-active-directory-identity/upcoming-changes-to-custom-co... there is also people responding to some issues which is why they had to revert back to ADFS. @Skipster
Apr 08 2020 01:46 PM
@doewebi just saw the link you posted. Yeah doesn't look like its possible to move 3rd party MFA to Azure until the new features are rolled out.
Apr 09 2020 07:02 AM
We are also evaluating staged rollout of password hash sync and duo as a mfa provider in Azure. So far everything appears to be working , however i see there are some known limitations with the current feature in Azure. Can you please help me understand what the below limitations mean? In what scenario would we notice the current limitations ?
Apr 09 2020 07:44 AM
@SkipsterI opened up a proactive case with MS and asked those specific questions and he didn't quite understand that comment from that blog. Check out this URL and look towards the bottom of some people having issues with the Windows Hello requiring the user to enroll with MS MFA instead of the existing 3rd party MFA, which they ended up having to resort back to ADFS.