Permalink
Switch branches/tags
Nothing to show
Find file
Fetching contributors…
Cannot retrieve contributors at this time
47 lines (36 sloc) 2.86 KB
title description services documentationcenter author manager editor ms.assetid ms.service ms.workload ms.tgt_pltfrm ms.devlang ms.topic ms.date ms.author
Two-step verification and AD FS - Azure MFA | Microsoft Docs
This is the Azure Multi-Factor authentication page that describes how to get started with Azure MFA and AD FS.
multi-factor-authentication
kgremban
femila
yossib
44fbba68-6cf9-46c1-a9df-736580b68ae3
multi-factor-authentication
identity
na
na
get-started-article
08/25/2017
kgremban

Getting started with Azure Multi-Factor Authentication and Active Directory Federation Services

![Cloud](./media/multi-factor-authentication-get-started-adfs/adfs.png)

If your organization has federated your on-premises Active Directory with Azure Active Directory using AD FS, there are two options for using Azure Multi-Factor Authentication.

  • Secure cloud resources using Azure Multi-Factor Authentication or Active Directory Federation Services
  • Secure cloud and on-premises resources using Azure Multi-Factor Authentication Server

The following table summarizes the verification experience between securing resources with Azure Multi-Factor Authentication and AD FS

| Verification Experience - Browser-based Apps | Verification Experience - Non-Browser-based Apps | |:--- |:--- |:--- | | Securing Azure AD resources using Azure Multi-Factor Authentication |

  • The first verification step is performed on-premises using AD FS.
  • The second step is a phone-based method carried out using cloud authentication.
  • | | Securing Azure AD resources using Active Directory Federation Services |
  • The first verification step is performed on-premises using AD FS.
  • The second step is performed on-premises by honoring the claim.
  • |

    Caveats with app passwords for federated users:

    • App passwords are verified using cloud authentication, so they bypass federation. Federation is only actively used when setting up an app password.
    • On-premises Client Access Control settings are not honored by app passwords.
    • You lose on-premises authentication-logging capability for app passwords.
    • Account disable/deletion may take up to three hours for directory sync, delaying disable/deletion of app passwords in the cloud identity.

    For information on setting up either Azure Multi-Factor Authentication or the Azure Multi-Factor Authentication Server with AD FS, see the following articles: