Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft announced a plan for change regarding Azure MFA.
What’s announced
Microsoft is planning to replace the current Custom controls (preview) in Conditional Access with an approach that allows partner-provided authentication capabilities to work seamlessly with the Azure Active Directory administrator and end user experiences.
What’s the experience today
Custom controls in Conditional Access are in Public Preview since December 17, 2018. This functionality gives organizations the ability to integrate 3rd-party services as controls in Conditional Access, including MFA services from RSA, Duo Security, Trusona and SecureAuth:
Today, 3rd-party MFA solutions face the following limitations:
- They work only after a password has been entered
- They don't serve as MFA for step-up authentication in other key scenarios
- They don't integrate with end user or administrative credential management functions
Today, 3rd-party MFA partner integration is a feature that requires Azure AD Premium P1 subscription licenses.
What’s New
The new implementation will allow partner-provided authentication factors to work alongside built-in factors for key scenarios, including:
- Registration
- Usage
- MFA claims
- Step-up authentication
- Reporting
- Logging
Custom controls will continue to be supported in Public Preview alongside the new design until the new design reaches General Availability. At that point, Microsoft will give organizations time to migrate to the new design.
What this means
Starting with this announced preview, organizations can use their existing 3rd-party MFA investments with Azure Active Directory. When the functionality reaches General Availability, they can use 3rd-party MFA in production for far more scenario’s than they can currently.
There is currently no information on changes in licensing for the functionality. During the preview phase, it is safe to assume the license requirements remain the same.
Further reading
Custom controls (preview)
Azure AD conditional access custom controls are in public preview
Azure AD + 3rd party MFA = Azure AD Custom Controls
Hi, Sander,
We did everything necessary for Azure custom control, but hit a problem,
AADSTS50172: External claims provider 4cad5f75-c75b-46c1-a717-724929a51eac is not approved.
Can you please confirm we need to register as a trusted claims provider somewhere at Microsoft?
Nobody pointed out how to get a proper AppID in that dummy JSON.
Curious if I could ask for clarification.
Our org currently uses managed authentication (PHS) and we enforce Duo using Conditional Access custom controls & policies, instead of using Azure MFA or federating with AD FS and integrating Duo there.
It works great, but there are the occasional pitfalls. One being that Windows Hello for Business does not seem to support or like this configuration. WHfB requires MFA, but as far as WHfB knows, the user has no MFA in our configuration. (From reading documentation, only Azure MFA and 3rd MFA integrated via AD FS are supported in WHfB)
The result we see is that, for example, a user trying to create a sign-in PIN on a Hybrid AAD-Joined device is greeted with an Azure MFA code prompt, despite our users not using Azure MFA. Then the process falls apart.
So, will this article's referenced "new" non-CA custom control integration mechanism allow for 3rd party MFA to be supported in scenarios that require MFA such as WHfB? Or am I reading into this wrong?
Hi Andrew,
I feel Microsoft's description is too vague and your situation is too specific to answer your question. The functionality is in Public Preview today.
If it doesn't offer the functionality today, it's a safe assumption that it won't work when the functionality is Generally Available (GA).