Concerns using Microsoft MFA

Brass Contributor

Dear Forum members,


My company is using ADFS + DUO but thinking about using Microsoft PHS + MS MFA.  We are testing staging roll out but have been told that our Security team has concerns about MS MFA:

  • Can't differentiate session initiation so VPN users will always get flagged
  • No VPN blocking
  • Password portal explicit registration

We are using Cisco VPN which of course should work well with DUO.  I can understand nobody likes to change but financially MS MFA is more cost effective for us.  Since we haven't use MS MFA yet, I am not sure those concerns are valid or not.  And if those are valid concerns, are there any workaround, mitigation strategies or alternative approaches that we can convince our security team to migrate over?  Any recommendations/suggestions are greatly appreciated!



5 Replies
ADFS doesnt have context based authentication if you are moving from ADFS to Azure AD/Entra ID then you need to define the conditional access to control the access of authentication. Please note Azure AD/Entra ID is a SaaS based solution hence the URL are open to public hence it doesn't care if you are accessing via VPN or from any public Wifi or home those links will be accessible . your conditional access related to IP, Location etc will decide if the user has to be allowed after he enters the username which is typically email address
best response confirmed by C Lee (Brass Contributor)
Hi Chandrasekhar_Arya, thanks for your reply. It is very helpful! If I understand correctly, when we use Microsoft MFA+ PHS, we will need to configure Conditional Access Policy and lefverage Trusted locations+ Identity to control the access. Additionally, we can add device and other controls in the conditional access policies to further fine-tuning it. But in terms of VPN access, I am not familiar with how it works so not sure how to configure CA. Are you saying it has no difference from other access sources so we should just treat them the same and use the same or similar policy? Any suggestions is appreciated.

Thank you once again for all your help!


@C Lee yes that's correct. As an example if you have to login to azure portal you can't control via your corporate VPN as it's a public URL and can be accessed anywhere in the world that's has internet.what is in your control is to define a CA and block once the user enters his username 


Thank you once again for your help!

@C Lee Please "Accept as Answer" if it helped so it can help others in community looking for help on similar topics.