Announced: Azure AD to offer more 3rd Party MFA features

Reading Time: 2 minutes

Azure Active Directory

Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft announced a plan for change regarding Azure MFA.

 

What’s announced

Microsoft is planning to replace the current Custom controls (preview) in Conditional Access with an approach that allows partner-provided authentication capabilities to work seamlessly with the Azure Active Directory administrator and end user experiences.

 

What’s the experience today

Custom controls in Conditional Access are in Public Preview since December 17, 2018. This functionality gives organizations the ability to integrate 3rd-party services as controls in Conditional Access, including MFA services from RSA, Duo Security, Trusona and SecureAuth:

Add a Custom Control in Azure AD Conditional Access

Today, 3rd-party MFA solutions face the following limitations:

  • They work only after a password has been entered
  • They don't serve as MFA for step-up authentication in other key scenarios
  • They don't integrate with end user or administrative credential management functions

Today, 3rd-party MFA partner integration is a feature that requires Azure AD Premium P1 subscription licenses.

 

What’s New

The new implementation will allow partner-provided authentication factors to work alongside built-in factors for key scenarios, including:

  • Registration
  • Usage
  • MFA claims
  • Step-up authentication
  • Reporting
  • Logging

Custom controls will continue to be supported in Public Preview alongside the new design until the new design reaches General Availability. At that point, Microsoft will give organizations time to migrate to the new design.

 

What this means

Starting with this announced preview, organizations can use their existing 3rd-party MFA investments with Azure Active Directory. When the functionality reaches General Availability, they can use 3rd-party MFA in production for far more scenario’s than they can currently.

There is currently no information on changes in licensing for the functionality. During the preview phase, it is safe to assume the license requirements remain the same.

Further reading

Custom controls (preview)
Azure AD conditional access custom controls are in public preview
Azure AD + 3rd party MFA = Azure AD Custom Controls

3 Responses to Announced: Azure AD to offer more 3rd Party MFA features

  1.  

    Hi, Sander,

    We did everything necessary for Azure custom control, but hit a problem,

    AADSTS50172: External claims provider 4cad5f75-c75b-46c1-a717-724929a51eac is not approved.

    Can you please confirm we need to register as a trusted claims provider somewhere at Microsoft?

    Nobody pointed out how to get a proper AppID in that dummy JSON.

  2.  

    Curious if I could ask for clarification.

    Our org currently uses managed authentication (PHS) and we enforce Duo using Conditional Access custom controls & policies, instead of using Azure MFA or federating with AD FS and integrating Duo there.

    It works great, but there are the occasional pitfalls. One being that Windows Hello for Business does not seem to support or like this configuration. WHfB requires MFA, but as far as WHfB knows, the user has no MFA in our configuration. (From reading documentation, only Azure MFA and 3rd MFA integrated via AD FS are supported in WHfB)

    The result we see is that, for example, a user trying to create a sign-in PIN on a Hybrid AAD-Joined device is greeted with an Azure MFA code prompt, despite our users not using Azure MFA. Then the process falls apart.

    So, will this article's referenced "new" non-CA custom control integration mechanism allow for 3rd party MFA to be supported in scenarios that require MFA such as WHfB? Or am I reading into this wrong?

    • Hi Andrew,

      I feel Microsoft's description is too vague and your situation is too specific to answer your question. The functionality is in Public Preview today.
      If it doesn't offer the functionality today, it's a safe assumption that it won't work when the functionality is Generally Available (GA).

       

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.