Azure MFA and Azure MFA Server side by side

Brass Contributor

Hello All,


Is it possible to use Azure Cloud MFA but for certain on Premise Apps which I'm not allowed or able to Publish through Azure App Proxy, use the Azure MFA Server within the same Tenant and same User IDs ?  or do I have to choose one or the other ?


Best regards


12 Replies

Yes, you can mix and match the on-prem MFA server and Azure MFA enforcement for specific apps, and even bypass or force double-MFA as needed. You will have to take care of the ADFS claims rules configuration though, to avoid some issues.

Thank you, we are currently use none specific Rules on ADFS except forward for MFA everything to Azure Cloud MFA Service. I would like to keep this way if possible and only utilize MFA Server for the stuff which does not pass ADFS directly. Example: we have Citrix NetScaler in front of On Premise Exchange 2016 which are able to use MFA Server for 2nd Factor. Exchange 2016 is Hybrid Configured with Exchange Online and we have Users there too which currently use ADFS/ Azure MFA Cloud based 2nd Factor. So the Way how still On-premise Users access the Environment is completely separated from WAP / ADFS. Is this possible or do I still need to somehow modify ADFS Claims ?



Please try to avoid deploying the MFA Server. This product will be deprecated in the not to distant future.


Have you considered using the Azure MFA NPS extension? I've recently deployed the extension for Citrix 2FA via Netscaler and it works really well. What workloads are you wanting to use MFA for?

You need to create an ADFS rule that avoids the request for the traffic that not pass ADFS directly, but in this configuration, you may create a lot of maintenance and management issues around this approach.


Try to work with one IDP and point all application and requests to this IDP including on-premises.



Thanks, that sounds something I will check out more further.

With regards to your Statement. Is there already somewhere a little bit more evidence until when MS will Support MFA Server ?



at least for 2019, the product will not be retired but from time to time Microsoft deprecated some features


My recommendations to you if you're planning for the long run, it will be better to work with Azure AD as your IDP and manage all identity from one place, of course, you can connect many application, local VPN solutions and another environment to Azure AD and work with one identity.

@Eli Shlomo  – thanks for sharing the links.


@Ueli Zimmermann - the Azure MFA feature program manager has some insightful comments on Reddit:


 “There isn't any engineering effort going into MFA server, and eventually it will end of life. All of our work is going into Azure MFA and features like conditional access policy...”


“Eventually, yes, Azure MFA Server will probably be deprecated in favour of the cloud-only Azure MFA service. However, we wouldn't do this until we have feature parity in cloud-only Azure MFA, and a reasonable migration path. We also wouldn't do this without advance notice: I'm not completely sure (I'll find out and report back), but I'm pretty sure this will be at least 1 year. There are still some features we haven't quite finished yet which are only available in Azure MFA Server but not in the cloud-only service (PIN mode, pre-registration, OATH token support, etc.), but we're working on it.”


So I wouldn’t be overly concerned if you’ve already deployed MFA Server, however to avoid migrating in the future, I’d recommend opting for the NPS extension or appliances that support direct Azure MFA integration.


Hope this help,


Correct information but Reddit is not yet dependable information and not official by Microsoft, so for the different products its recommended to work according to Microsoft lifecycle information.

I recommended avoiding working with NPS because isn't secure enough and it's better to work on top of SAML with Azure AD. (from experience on the field, the integration with NPS will fail on a first pen test because of the NPS itself and not the Azure AD)


@Eli Shlomo Sorry, I'll have to politely disagree :)


Looking at authentication from an architectural perspective, now that basic authentication can be blocked using conditional access, customers can start to move away from ADFS and start using Password Hash Sync…. but that's a topic for another thread :)


Righty hoo, NPS - completely agree the documentation is a little cryptic and if implemented incorrectly, could lead to credentials being sent over the wire in clear text. 


  1. In most cases we don’t need to perform primary auth against AD a second time or even at all. So, we set the policy to “Accept users without validating credentials”. (remember the NPS extension doesn't authentication users, it passes the request to the MFA Endpoint which triggers a user proof up - text, phone or auth app)
  2. Next, the NPS policy needs something to check, so we use a simple NASID condition, “MFA” as seen in the example below.
  3. As the RADIUS Access-Requests messages are processed without credential validation, we can switch the RAIDUS auth protocol to MSCHAP v2


There’s a few more things to tweak on Netscaler and Windows which I’ll post in a blog later this week.


NPS config.png

its ok to disagree.

You cannot compare the reference between Reddit and Microsoft Premier, because Microsoft premier its official and can provide an official reference behind it. 

It's better and more secure to work with SAML against the radius because of radius its portiantlyconfiguration that you can break into.

Azure AD with SAML and ADFS can provide more benefits and more security built-in without breaches.


Thank you Both for this Discussion it helped me certainly to see the different Options and I probably will go back to the drawing Board :)


We also have another Identity Workshop with MS around Feb 2019 so I will certainly follow your lead and also ask the PFE for such Options and what could be best for our Case.



Great stuff, a chalk and talk will certainly help breakdown your scenario :)


I'd also suggest asking about guidance around moving away from ADFS to PHS combined with blocking basic authentication using conditional access. Both are recommend by the product group as best practise.