Getting started with Microsoft Entra multifactor authentication and Active Directory Federation Services

Microsoft Entra multifactor authentication and ADFS getting started

If your organization has federated your on-premises Active Directory with Microsoft Entra ID using AD FS, there are two options for using Microsoft Entra multifactor authentication.

  • Secure cloud resources using Microsoft Entra multifactor authentication or Active Directory Federation Services
  • Secure cloud and on-premises resources using Azure Multi-Factor Authentication Server

The following table summarizes the verification experience between securing resources with Microsoft Entra multifactor authentication and AD FS

Verification Experience - Browser-based Apps Verification Experience - Non-Browser-based Apps
Securing Microsoft Entra resources using Microsoft Entra multifactor authentication
  • The first verification step is performed on-premises using AD FS.
  • The second step is a phone-based method carried out using cloud authentication.
  • Securing Microsoft Entra resources using Active Directory Federation Services
  • The first verification step is performed on-premises using AD FS.
  • The second step is performed on-premises by honoring the claim.
  • Caveats with app passwords for federated users:

    • App passwords are verified using cloud authentication, so they bypass federation. Federation is only actively used when setting up an app password.
    • On-premises Client Access Control settings are not honored by app passwords.
    • You lose on-premises authentication-logging capability for app passwords.
    • Account disable/deletion may take up to three hours for directory sync, delaying disable/deletion of app passwords in the cloud identity.

    For information on setting up either Microsoft Entra multifactor authentication or the Azure Multi-Factor Authentication Server with AD FS, see the following articles: