If your organization has federated your on-premises Active Directory with Azure Active Directory using AD FS, there are two options for using Azure Multi-Factor Authentication.
- Secure cloud resources using Azure Multi-Factor Authentication or Active Directory Federation Services
- Secure cloud and on-premises resources using Azure Multi-Factor Authentication Server
The following table summarizes the verification experience between securing resources with Azure Multi-Factor Authentication and AD FS
|Verification Experience - Browser-based Apps||Verification Experience - Non-Browser-based Apps|
|Securing Azure AD resources using Azure Multi-Factor Authentication|
|Securing Azure AD resources using Active Directory Federation Services|
Caveats with app passwords for federated users:
- App passwords are verified using cloud authentication, so they bypass federation. Federation is only actively used when setting up an app password.
- On-premises Client Access Control settings are not honored by app passwords.
- You lose on-premises authentication-logging capability for app passwords.
- Account disable/deletion may take up to three hours for directory sync, delaying disable/deletion of app passwords in the cloud identity.
For information on setting up either Azure Multi-Factor Authentication or the Azure Multi-Factor Authentication Server with AD FS, see the following articles: