Export (0) Print
Expand All

Azure Multi-Factor Authentication options for Federated Users

Published: May 20, 2013

Updated: February 10, 2014

If your organization has federated your on-premises Active Directory with Azure Active Directory using AD FS, the following 2 options for using Azure Multi-Factor Authentication are available.

If your organization is federated with Azure Active Directory and you have resources that are accessed by Azure Active Directory, you can use Azure Multi-Factor Authentication or Active Directory Federation Services to secure these resources. Use the procedures below to secure Azure Active Directory resources with either Azure Multi-Factor Authentication or Active Directory Federation Services.

The following table summarizes the authentication experience between securing resources with Window Azure Multi-Factor Authentication and AD FS

 

Authentication Experience - Browser based Apps

Authentication Experience - Non-Browser based Apps

Securing Azure AD resources using Azure Multi-Factor Authentication

  • The 1st factor of authentication is performed on-premises using AD FS.

  • The 2nd factor is a phone based method carried out using cloud authentication.

  • End users can use app passwords to sign-in.

Securing Azure AD resources using Active Directory Federation Services

  • The 1st factor of authentication is performed using cloud authentication.

  • The 2nd factor is performed on-premises by honoring the claim.

  • End users can use app passwords to sign-in.

Caveats with app passwords for federated users.

  • App Password is verified using cloud authentication and hence bypasses federations. Federation is only actively used when setting up App Password.

  • On-premises Client Access Control settings are not honored by App Password.

  • You lose on-premises auth logging capability for App Password.

  • Account disable/deletion may take up to 3 hours for dirsync, delaying disable/deletion of app password in the cloud identity.

To secure Azure AD resources using Azure Multi-Factor Authentication do the following:

  1. Use the steps outlined in Enable multi-factor authentication for a user account to enable an account.

  2. Users then can follow the steps outlined in Signing in for the first time using Azure Multi-Factor Authentication to complete the setup process.

To secure Azure AD resources using AD FS do the following:

  1. Use the steps outlined in Enable multi-factor authentication for a user account to enable an account.

  2. Use the following procedure to setup a claims rule:

    1. Start the AD FS Management console.

    2. Navigate to Relying Party Trusts and right-click on the Relying Party Trust. Select Edit Claim Rules…

    3. Click Add Rule…

    4. From the drop down, select Send Claims Using a Custom Rule and click Next.

    5. Enter a name for the claim rule.

    6. Under Custom rule: add the following:

      => issue(Type = "http://schemas.microsoft.com/claims/authnmethodsreferences", Value = "http://schemas.microsoft.com/claims/multipleauthn");
      
      

      Corresponding claim:

      <saml:Attribute AttributeName="authnmethodsreferences" AttributeNamespace="http://schemas.microsoft.com/claims">
      <saml:AttributeValue>http://schemas.microsoft.com/claims/multipleauthn</saml:AttributeValue>
      </saml:Attribute>
      
    7. Click OK. Click Finish. Close the AD FS Management console.

  3. Users then can complete signing in using the on-premises method (such as smartcard).

    WarningWarning
    The organizational ID will not trigger Azure Multi-Factor Authentication for the user because it has already received the claim from AD FS.

If your organization is federated with Azure Active Directory and you have resources that are on-premises or in the cloud that you wish to secure you can do this by using the Azure Multi-Factor Authentication Sever and configuring it to work with AD FS so that mulit-factor authentication is triggered for high value end points. For information on how to do this, see Using Multi-Factor Authentication with Active Directory Federation Services

The following table will provide a feature list in both Azure Multi-Factor Authentication for Azure AD and the Multi-Factor Authentication Server and how each differs between Azure AD and the on-premises server. You can use this list to help you decide which option is the best for you.

 

Feature

MFA in Azure AD

MFA Server with AD FS

Users

Users are enabled via the web UI that is accessed either from the Azure Management Portal or O365 Admin Portal or through Windows PowerShell cmdlets.

Users are enabled via an import into the MFA Server from AD or an LDAP directory.

User enrollment

Enabled users are enrolled via a web browser when they sign in the first time, once an admin enables them for MFA.

Users enroll via the on-premises User Portal, typically after receiving an email from the import into the MFA Server.

On-premises/Cloud sync

On-premises enrollment and Azure Active Directory enrollment are separate today without any sync. Enrollment and authentication settings (device/phone number and primary method of authentications) are independent in Azure AD from the on-premises MFA Server

MFA Server securing AD FS can synchronize with other MFA Servers securing other on-premises applications such as VPN, OWA and Citrix, thus allowing users to use a single device/phone number and method of authentication for all systems being secured with MFA

Non-browser apps

Users must use app passwords with non-browser applications such as Outlook, Lync and mobile email apps.

Users use normal organizational password without multi-factor authentication with non-browser applications such as Outlook, Lync and mobile email apps. If this is not desired, users must be blocked from using these apps outside the corporate network so that they must be inside the network or connected via VPN to use them.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft