3rd party MFA provider

Question

We are currently evaluating using DUO as a mfa provider in Azure along with staged rollout for password hash sync. Everything appears to be working correctly. However i recently discovered there are some limitations with using 3rd party mfa providers in Azure. I need help understanding exactly what the below limitations mean?

They work only after a password has been entered
They don’t serve as MFA for step-up authentication in other key scenarios
They don’t integrate with end user or administrative credential management functions

https://techcommunity.microsoft.com/t5/azure-active-directory-identity/upcoming-changes-to-custom-co...

Answer 1

Hi @skip hofmann ,

"They work only after a password has been entered" - I believe this just means that they won't be able to use a passwordless experience where MFA is presented before entering a password.

"They don’t serve as MFA for step-up authentication in other key scenarios" - Step-up authentication ensures that users can access some resources with one set of credentials but will prompt them for more credentials when they request access to sensitive resources. For example, a user logs onto a site with a user name and password, and if they then try to access a part of the site which requires a higher level of verification we can trigger via code MFA. We don't want the user to have to enter username and password again but just respond to the MFA request. Once the client has responded to the MFA request they can access that side of the website.

"They don’t integrate with end user or administrative credential management functions" - for example, an application providing user credentials directly to Azure AD.

This is how I read it, at least. I'm going to try to loop in the author of that article though to see if he can comment and provide further clarity.

Answer 2

The information you’ve shared in this blog is most useful. Thanks for sharing such quality information.