question

JanusBarinan-8508 avatar image
0 Votes"
JanusBarinan-8508 asked DanieleBona-0035 answered

MFA for onprem domain controllers

Is it possible to have MFA integrated to onpremise AD?
Like when they login using the domain admin account they will go through MFA.

windows-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

heyneke avatar image
0 Votes"
heyneke answered
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered

Hi,
As of July 1, 2019, Microsoft no longer offers MFA Server for new deployments.
New customers that want to require multi-factor authentication (MFA) during sign-in events should use cloud-based Azure AD Multi-Factor Authentication.
For more information , you can refer to the following link:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfaserver-nps-rdg
https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa

Best Regards,

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JanusBarinan-8508 avatar image
0 Votes"
JanusBarinan-8508 answered

Thanks for your answers guys. I'm sorry If I can mark only one as Answer.

By the way, to help others who are also needing this, we are going to test Okta's service to apply MFA for on-prem DCs.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DanieleBona-0035 avatar image
0 Votes"
DanieleBona-0035 answered

Guys,

I think today a solution is technically possible using FIDO2 keys and the old domain "SCRIL" feature.
Also Remote Credential Guard and Protected Users are components required.

Here all the details :

https://techcommunity.microsoft.com/t5/security-compliance-and-identity/removing-onprem-domain-admins-passwords-with-azure-passwordless/m-p/2803878

Please test yourself reporting feedbacks :) (I only tested in my lab , never in production so a running test might be appreciated ..)

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.