Announced: Azure AD to offer more 3rd Party MFA features

Azure Active Directory

Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft announced a plan for change regarding Azure MFA.


What’s announced

Microsoft is planning to replace the current Custom controls (preview) in Conditional Access with an approach that allows partner-provided authentication capabilities to work seamlessly with the Azure Active Directory administrator and end user experiences.


What’s the experience today

Custom controls in Conditional Access are in Public Preview since December 17, 2018. This functionality gives organizations the ability to integrate 3rd-party services as controls in Conditional Access, including MFA services from RSA, Duo Security, Trusona and SecureAuth:

Add a Custom Control in Azure AD Conditional Access

Today, 3rd-party MFA solutions face the following limitations:

  • They work only after a password has been entered
  • They don't serve as MFA for step-up authentication in other key scenarios
  • They don't integrate with end user or administrative credential management functions

Today, 3rd-party MFA partner integration is a feature that requires Azure AD Premium P1 subscription licenses.


What’s New

The new implementation will allow partner-provided authentication factors to work alongside built-in factors for key scenarios, including:

  • Registration
  • Usage
  • MFA claims
  • Step-up authentication
  • Reporting
  • Logging

Custom controls will continue to be supported in Public Preview alongside the new design until the new design reaches General Availability. At that point, Microsoft will give organizations time to migrate to the new design.


What this means

Starting with this announced preview, organizations can use their existing 3rd-party MFA investments with Azure Active Directory. When the functionality reaches General Availability, they can use 3rd-party MFA in production for far more scenario’s than they can currently.

There is currently no information on changes in licensing for the functionality. During the preview phase, it is safe to assume the license requirements remain the same.

Further reading

Custom controls (preview)
Azure AD conditional access custom controls are in public preview
Azure AD + 3rd party MFA = Azure AD Custom Controls

One Response to Announced: Azure AD to offer more 3rd Party MFA features


    Hi, Sander,

    We did everything necessary for Azure custom control, but hit a problem,

    AADSTS50172: External claims provider 4cad5f75-c75b-46c1-a717-724929a51eac is not approved.

    Can you please confirm we need to register as a trusted claims provider somewhere at Microsoft?

    Nobody pointed out how to get a proper AppID in that dummy JSON.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.