locked
MFA for Cloud / On-Premises services RRS feed

  • Question

  • Hello,

    I'm trying to implement Azure MFA solution for a customer who has on-premises and Cloud services. I have used MFA server for on premises and MFA Azure for cloud (O365 with conditional access, for example).

    On premises test with some services works fine and challenges the users for a 2nd factor (i use Microsoft Authenticator aprobing the access), and obviously MFA on Cloud works too. The problem i found is that i need to use 2 accounts with the same user workaccount to validate MFA on each environment. Is it a normal behaviour?. I understand that MFA on Cloud manage their own users, but if i add a MFA server on-premises validated on cloud, is not supposed to use 1 only account to authenticate in both environments?.

    I appreciate any advice / help. Thank you.   


    • Edited by Marcos VS Friday, September 14, 2018 7:06 AM
    Thursday, September 13, 2018 3:30 PM

Answers

  • Hello Marcos,

    You choose to use Azure MFA or MFA Server based on where the user exists (Azure AD or On Prem AD) and based on other capability required you choose to use Azure MFA or MFA Server.

    In case you have On-prem user only then you will use MFA server to configure MFA. On the other hand if user is only on Azure AD then you will use Azure MFA to configure MFA.

    However, you can decide to use either Azure MFA or MFA Server based on your requirement if you have hybrid environment with users from on-prem or Azure AD.

    In case you have Azure AD and on-premises AD using federation with AD FS, and you are using ADFS 2016 you do not require MFA server and Azure MFA can be used for the MFA configuration.

    Now in case user is in Azure AD or has been sync from On-prem AD to Azure AD using AD Connect with password hash sync or pass-through authentication, then Azure MFA  for the user can be configured in AAD.

    In all above cases, the user will be required to configure MFA only once.

    In case you are using Azure MFA Server without federation and you need to provide two factor for onprem resources and at the same time provide two factor for Azure AD and O365, you would need to have people register twice - once with Azure MFA and once with on-premises in your scenario. If your on-prem resources support RADIUS authentication, you can use the new NPS plug-in which will leverage the existing Azure MFA registration details to avoid user registering in two places.


    Mohit Garg

    • Proposed as answer by MohitGarg_MSFT Thursday, September 20, 2018 9:49 PM
    • Marked as answer by Marcos VS Tuesday, October 2, 2018 3:04 PM
    Thursday, September 20, 2018 9:48 PM

All replies

  •  See here to get the information of sharing accounts using Azure AD. It might help you https://docs.microsoft.com/en-us/azure/active-directory/active-directory-sharing-accounts
    • Proposed as answer by samyyysam Thursday, September 13, 2018 7:28 PM
    • Unproposed as answer by Marcos VS Friday, September 14, 2018 7:03 AM
    Thursday, September 13, 2018 7:28 PM
  • Hello samyysam,

    Thank you for your answer, but it is not exactly what i am searching. This article is about account sharing, but in this case is about same work account, owned from only 1 person, thay should authenticate with 1 only token in Cloud and on-premises environment.

    Thank you.

    Friday, September 14, 2018 7:03 AM
  • Hello Marcos,

    You choose to use Azure MFA or MFA Server based on where the user exists (Azure AD or On Prem AD) and based on other capability required you choose to use Azure MFA or MFA Server.

    In case you have On-prem user only then you will use MFA server to configure MFA. On the other hand if user is only on Azure AD then you will use Azure MFA to configure MFA.

    However, you can decide to use either Azure MFA or MFA Server based on your requirement if you have hybrid environment with users from on-prem or Azure AD.

    In case you have Azure AD and on-premises AD using federation with AD FS, and you are using ADFS 2016 you do not require MFA server and Azure MFA can be used for the MFA configuration.

    Now in case user is in Azure AD or has been sync from On-prem AD to Azure AD using AD Connect with password hash sync or pass-through authentication, then Azure MFA  for the user can be configured in AAD.

    In all above cases, the user will be required to configure MFA only once.

    In case you are using Azure MFA Server without federation and you need to provide two factor for onprem resources and at the same time provide two factor for Azure AD and O365, you would need to have people register twice - once with Azure MFA and once with on-premises in your scenario. If your on-prem resources support RADIUS authentication, you can use the new NPS plug-in which will leverage the existing Azure MFA registration details to avoid user registering in two places.


    Mohit Garg

    • Proposed as answer by MohitGarg_MSFT Thursday, September 20, 2018 9:49 PM
    • Marked as answer by Marcos VS Tuesday, October 2, 2018 3:04 PM
    Thursday, September 20, 2018 9:48 PM