MFA with web app. We use AZURE Active Domain

Reed, Davie 1 Reputation point
2020-11-25T08:30:02.547+00:00

We use IIS on Windows Server 2016. My web app works nicely.

We also use the MFA/2FA feature of the AZURE Active Domain system. Essentially, when a remote user tries to get into our servers via Remote Desktop, it will CALL the user's phone and they have to press "#" to continue. AZURE is making the call. Somehow it's integrated with our on-prem domain controller and our RADIUS server.

I would LIKE to have my web app use the MFA capabilities of AZURE to call the user and validate them, just like the Remote Desktop connection does. So the server-side code of my web app would somehow make a function call to some magic API that does all the work and returns true or false. BTW: I do NOT know any phone numbers of the users. I would like AZURE to do all the magic.

Thanks

DAvie

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,798 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,339 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Thierry Eppner 1 Reputation point
    2020-11-25T14:30:51.377+00:00

    Hello,

    This documentation will help you doing what you want :
    https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-add-on-premises-application

    Regards,
    Thierry

    0 comments No comments

  2. Reed, Davie 1 Reputation point
    2020-12-03T22:47:16.213+00:00

    Thanks Thierry;

    I was expecting a bunch of APIs that I would have to program to get the MFA to work.

    This is entirely different. It looks like it's a "generic" authenticater for "ANY" web site we may have. AND NO ADDITIONAL WEB PROGRAMMING.

    IE: It's a traffic cop that STOPS traffic to our web site and instead will prompt the user for their domain network login creds and then the cop will tell AZURE to authenticate (maybe with a phone call). Once verified, the cop will let the traffic flow and the user can then access our web site.

    Is that correct?

    Thanks

    DAvie