Getting started with Azure Multi-Factor Authentication and Active Directory Federation Services

Cloud

If your organization has federated your on-premises Active Directory with Azure Active Directory using AD FS, there are two options for using Azure Multi-Factor Authentication.

  • Secure cloud resources using Azure Multi-Factor Authentication or Active Directory Federation Services
  • Secure cloud and on-premises resources using Azure Multi-Factor Authentication Server

The following table summarizes the verification experience between securing resources with Azure Multi-Factor Authentication and AD FS

Verification Experience - Browse-based Apps Verification Experience - Non-Browser-based Apps
Securing Azure AD resources using Azure Multi-Factor Authentication
  • The first verification step is performed on-premises using AD FS.
  • The second step is a phone-based method carried out using cloud authentication.
  • Securing Azure AD resources using Active Directory Federation Services
  • The first verification step is performed on-premises using AD FS.
  • The second step is performed on-premises by honoring the claim.
  • Caveats with app passwords for federated users:

    • App passwords are verified using cloud authentication, so they bypass federation. Federation is only actively used when setting up an app password.
    • On-premises Client Access Control settings are not honored by app passwords.
    • You lose on-premises authentication-logging capability for app passwords.
    • Account disable/deletion may take up to three hours for directory sync, delaying disable/deletion of app passwords in the cloud identity.

    Next steps

    For information on setting up either Azure Multi-Factor Authentication or the Azure Multi-Factor Authentication Server with AD FS see the following articles: