On-prem AD sign-in using Azure MFA
-
Good morning,.....well, it is where I am.
I hope you're all well.
I have a question, is it possible to force Azure MFA for particular on-prem domain accounts? Authentication, i.e. user name and password should still be handled by on-prem DCs. So, on-prem admin accounts must use MFA, standard users do not need MFA.
For the purpose of this, let's imagine that no on-prem/Azure AD integration has yet been done, but the above is the desired outcome.
Cheers,
Neil.
-
All is well here also!
Yes, it is possible to require MFA and still authenticate using on-premises domain controllers.
You can use pass-through authentication to ensure authentication is handled by on-premises domain controllers.
You can combine pass-through authentication with Azure Multi-Factor Authentication and Conditional Access policies to require certain accounts to use MFA.
Here are some links for more information:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn#cloud-authentication
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn#cloud-authentication-pass-through-authenticationLet me know if you have more questions.
-
@Mike-Rodrick Hi Mike,
Thanks for your response.
I'm not entirely sure if the question is answered. I'm wondering if a user logs in, on a domain-joined device, whilst in the office; that is using AD credentials and not signing in with cloud credentials,so the authentication is handled entirely on-prem, is it still possible to use Azure MFA?
Thanks,
Neil.
-
Sorry for the misunderstanding.
If I understand correctly, this is what you are trying to do
https://social.technet.microsoft.com/wiki/contents/articles/29061.azure-multi-factor-authentication-on-premise.aspxYour scenario was possible using Azure Multi-factor Authentication Server, which you could download from Microsoft and run on-premises. Unfortunately, it was retired as of July 1, 2019. Microsoft is still supporting existing installations, but not supporting new installations.
-
Thanks for your help, Mike.
I'd noticed the MFA server had been retired, that would have been nice to try.
I was looking to retire an on-prem MFA solution from a third-party, but we're not quite ready for a migration of users to the cloud.
Cheers,
Neil.
-
Glad to help.
You might consider a hybrid scenario. With an Azure subscription, you could sync your on-premises accts with Azure AD. Everything would still be managed with local AD (Group policy, security groups, password policy, etc.) But you could begin to use conditional access policies to enforce MFA.
When the time comes, if you have questions, let me know!
Cheers!