question

AnwarMahmood-0381 avatar image
0 Votes"
AnwarMahmood-0381 asked ·

Azure AD Application Proxy - multiple apps, multiple MFA?

Azure AD Application Proxy is intended for remote access to on premises applications.

It isn't recommended for on premises access.

However, if I did use it for on premises access, and required MFA, would I need to MFA every app, every time?

imagine...

  • HR app

  • Accounts app

  • Marketing app

On-premises computers are hybrid Azure AD joined.

On on-premises "blue" computers, I want SSO to these apps.
On on-premises "red" computers, I want SSO but also MFA on these apps. For the sake of discussion, "red" computers are somehow less secure, and/or "red" computer users use more sensitive parts of the app. Hence, they must MFA to the app.

People on the "red" computers may need HR, Accounts and Marketing apps. They may dip in and out of these apps several times a day.

If people on the "red" computers have to perform MFA for HR, Accounts and Marketing every time they open them in the browser, there would be severe pushback.

Can it do it "once", and it "persists" for a reasonable time (say, a working day).

azure-active-directory
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered ·

@AnwarMahmood-0381 If all the Red and Blue computers are Hybrid Azure AD Joined, they will have PRT (Primary Refresh Token). Once a user performs MFA on a Hybrid Azure AD joined machine, the MFA claim is stored in the PRT and user would not be prompted for MFA again till the time PRT is valid.

PRT is invalidated in case of Invalid user, Invalid device, Password change, TPM issues. for more information, please refer to How is a PRT invalidated?




Please "Accept as answer" wherever the information provided helps you to help others in the community.

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.