Reference articles:

https://docs.microsoft.com/sl-si/azure/multi-factor-authentication/multi-factor-authentication-get-started

https://docs.microsoft.com/sl-si/azure/multi-factor-authentication/multi-factor-authentication-get-started-server

https://docs.microsoft.com/sl-si/azure/multi-factor-authentication/multi-factor-authentication-get-started-adfs

 

https://blog.kloud.com.au/2017/07/04/resolving-the-double-auth-prompt-issue-in-adfs-with-azure-ad-conditional-access-mfa/

https://blog.kloud.com.au/2017/07/01/using-adfs-on-premises-mfa-with-azure-ad-conditional-access/

 

Scripting and automation:

https://araihan.wordpress.com/2017/01/20/enable-multi-factor-authentication-for-office-365-users-using-powershell/

http://eskonr.com/2018/03/different-methods-to-setup-azure-mfa-registration-for-o365/

 

Configuration:

The tenant must be configured to redirect MFA to MFAonprem through ADFS: ADFS infrastructure has been configured to support MFA onprem with special connector running on each internal ADFS server

MFA servers onprem configured to import internal domain users. No conditional policies possible with MFA onprem servers.

 

AzureMFA:

  • Azure MFA will works only for accounts created on the tenants (aad-xxx, guests)
  • Azure AD conditional access policies will not work with MFA onprem – only with Azure MFA
  • Accounts on Azure AD must be MFA enabled (with the phonefactor portal or via PS script or AAD identity protection policy). MFA setup: aka.ms/mfasetup
  • Applications supported:

Granular policies possible per application

Azure AD federated applications / office 365 apps…

Not possible to use Cisco VPN or onprem applications => because account must be declared on MFA onprem server database.

 

MFA onPrem:

  • Synchronized users will use only MFA onprem
  • Synchronized accounts on Azure AD must be MFA enabled (with the phonefactor portal or via PS script or AAD identity protection policy) , else by default users are not MFA enabled
  • Conditional access to Office 365 is only possible at the ADFS level (Access rule for the whole O365 RP trust)
    • and for all AzureAD/Office 355 apps (no granularity per application compared to AzureMFA)
  • Other use case supported:

Cisco VPN (using Radius)

Citrix…

 

=========================================================

Users must be MFA enabled to support AzureMFA OR MFAonprem:

To automate:

  1. By PowerShell script
  2. By using Azure AD identity protection and policies

 

Unchecked the box Azure MFA to keep only MFA onprem as main MFA authentication method

 

ADFS conditional access for the RP office365:

We must create a single policy – valid for the Office 365 RP trust and thus – valid for all Azure AD and Office 365 apps (ALL or nothing – no granularity here).

 

 

Advertisements