question

HKG-7714 avatar image
0 Votes"
HKG-7714 asked amanpreetsingh-msft commented

MFA license on ADFS applications

I have been trying to clarify about MFA license requirement for applications (both SAAS and on-premise) federated in ADFS. We use Azure MFA in our ADFS farm. Based on the link below, MFA for on-premise applications does require either P1 and P2 license. MFA works fine in ADFS even if we didn't assign a P1 license to the user for those applications. So my question is if P1 is needed but Azure just doesn't check it or it is not a requirement unless users are authenticate through application proxy in Azure AD.

Thank you.

https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-licensing

azure-ad-licensing
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered amanpreetsingh-msft commented

Hi @HKG-7714 • Thank you for reaching out.

Yes, MFA for on-premise applications does require either P1 or P2 license, but this requirement is not hard enforced. Which means, when P1/P2 license is assigned even to a single user account in a given tenant, the P1/P2 capabilities are unlocked for that tenant and all users in that tenant can use P1/P2 features. However, to stay compliant, all the users who are using the features that require P1/P2 license must be assigned with these licenses.

So, MFA for a user without either P1 or P2 license can be enabled, but in that case you will be non-compliant.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for the clarification. Do you know if there is any reference as how Azure define a on-premise application? Although our federated app is cloud-based app from a service provider, it is probably still considered as on-premise.

0 Votes 0 ·

Hi @HKG-7714 • In this case, you can use Security Defaults for MFA and you won't need any P1/P2 license. However, if you already have Conditional Access Policy or Identity Protection policy configured in your tenant you will not be able to use Security Defaults and you will require licenses for all users who perform MFA.

If MFA is being triggered from the service provider's end, they need to have the required number of licenses.

0 Votes 0 ·