question

HKG-7714 avatar image
0 Votes"
HKG-7714 asked piaudonn commented

using Azure MFA on on-premise ADFS application

We use ADFS 4 (server 2016) for O365 and on-premise applications for SSO. We recently enable MFA for Office 365 applications using Azure AD conditional access.

We would like to use the same conditional access rule for the on-premise apps (SAML replying party). Is this possible? If so, how we can do that.

Thanks.

azure-active-directoryadfsazure-ad-conditional-access
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HKG-7714 avatar image
0 Votes"
HKG-7714 answered piaudonn commented

To correct that, the application that is in ADFS is SAAS based.

I need to trigger the MFA using Azure Conditional Access on that particular application. As far as I know, login to those apps are not recognized by Azure CA.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

You cannot use Azure Conditional Access to trigger MFA for an application which doesn't exist in Azure AD.
You can however trigger MFA using an ADFS Access Policy. And if you configure the Azure AD MFA provider in ADFS, you can trigger Azure AD MFA from the ADFS. But the conditions for the triggers are only the one available in the Access Policy (group membership, IP address, inside/outside the network, that's about it...).

0 Votes 0 ·

Do I even have to enable individual's MFA on the Azure side? If not, how does Azure aware of user's MFA status if both per-user MFA configuration and Conditional access are not used?

0 Votes 0 ·

Your app doesn't know Azure AD and Azure AD doesn't know your app. Here the interaction with the Azure MFA is through the MFA provider in ADFS. It could have been any provider really, but assuming that your users are already registered for Azure AD MFA, then using the ADFS Azure AD MFA is the easiest road.
When a user is trying to access your app and gets redirected to ADFS for auth (or use the IDP initiated sign in directly on ADFS if you have enabled and your apps supports and/or wants it) then ADFS will authenticate the user. It could be SSO if you are connected internally on a domain joined machine or it could be a web form if you are coming from outside (or if you configure your authentication policy to request FBA). Then after a successful authentication, the Access Policies will be evaluated. If we are in a case you define as requiring MFA, the user will be prompted to do MFA in Azure AD (the user needs to be register in Azure AD MFA already - that's it - the user don't need user-based MFA or doesn't need to be in the scope of any Conditional Access Policies - there are not into play here).
That's it.
You could go further than that in ADFS on aWindows Server 2019 as you could use Azure AD MFA as a first factor for auth (instead of username/password in the case you don't already have SSO).

1 Vote 1 ·
piaudonn avatar image
0 Votes"
piaudonn answered piaudonn commented

You can do some access control on premises using Access Policies. But it would be much easier to move your ADFS Relying Party Trusts to Azure AD Enterprise Application.

Have a look here:
- Video : https://www.youtube.com/watch?v=OThlTA239lU
- For dev: https://docs.microsoft.com/en-us/samples/azure-samples/ms-identity-dotnet-adfs-to-aad/ms-identity-dotnet-adfs-to-aad/
- Using ADFS reports from AAD to help you: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/migrate-adfs-application-activity


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for the quick reply.

We are not quite ready to move to AAD authentication yet. We can get MFA working with the on-premise application if MFA is enabled per user. However, we are using CA and would like tied that to the on-premise applications. Is this possible? At the moment, we only use ADFS for SSO but not PTA and PHA.

0 Votes 0 ·

What type of control would you like to use on-premises? It's fairly limited.

0 Votes 0 ·