7,023 questions
Azure MFA doesn't support MFA for local logon on devices. You should rather focus on hardening your environment and implementing secure administrative hosts for example
MFA for onprem domain controllers
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 15%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJB%3C/text%3E%3C/svg%3E)
Janus Bariñan
1,126
Reputation points
Is it possible to have MFA integrated to onpremise AD?
Like when they login using the domain admin account they will go through MFA.
Windows for business Windows Client for IT Pros Directory services Active Directory
Accepted answer
-
Johan Heyneke 81 Reputation points Microsoft Employee2021-02-10T07:36:02.82+00:00
5 additional answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 21%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDB%3C/text%3E%3C/svg%3E)
Daniele Bona 6 Reputation points2021-10-02T08:08:33.063+00:00 Guys,
I think today a solution is technically possible using FIDO2 keys and the old domain "SCRIL" feature.
Also Remote Credential Guard and Protected Users are components required.Here all the details :
Please test yourself reporting feedbacks :) (I only tested in my lab , never in production so a running test might be appreciated ..)
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2021-02-10T08:39:02.127+00:00 Hi,
As of July 1, 2019, Microsoft no longer offers MFA Server for new deployments.
New customers that want to require multi-factor authentication (MFA) during sign-in events should use cloud-based Azure AD Multi-Factor Authentication.
For more information , you can refer to the following link:
https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfaserver-nps-rdg
https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfaBest Regards,
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 67%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJT%3C/text%3E%3C/svg%3E)
Jason Todd 1 Reputation point2023-01-13T20:54:28.9533333+00:00 Use a third-party choice to enable this locally.
Sign in to comment -
-
Janus Bariñan 1,126 Reputation points
2021-02-13T14:59:16.627+00:00 Thanks for your answers guys. I'm sorry If I can mark only one as Answer.
By the way, to help others who are also needing this, we are going to test Okta's service to apply MFA for on-prem DCs.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 53%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESA%3C/text%3E%3C/svg%3E)
Sarfraz Aslam 166 Reputation points2022-03-28T12:51:38.357+00:00 Hi Janus,
I have the same requirement. Just want to know about the feedback of Okta's service. Have you successfully protected your domain admins and other privileged account at On premises active directory?
Regards,
Sign in to comment -
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 70%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECB%3C/text%3E%3C/svg%3E)
Chris Bunn 0 Reputation points2023-01-25T16:33:17.7333333+00:00 Hi. You can enable granular MFA on any/all on-premise AD users with a third party solution UserLock.
More information here: [https://www.isdecisions.com/products/userlock/multi-factor-authentication-mfa-active-directory.htm