SSO to Azure MFA Server

VickVega 96 Reputation points

The question is about the ON-PREM MFA server and Single Sign-On.

We have a bit of an odd setup.
On one of our MFA servers, users are created manually and the server is not configured with an identity source to validate the users. This means that users are not able to login to User Portal.
The call for the second factor for the user in question occurs when a user tries to launch an application from a web portal. Once a link is clicked, the web server initiates a call to Web Services API and invokes the second factor for the user, while the user sees the corresponding prompt (OATH) to enter a challenge.

It has been requested that users switch from OATH token to Auth App.

The ideal solution - allow users to log in to the User Portal and follow the communicated steps to enable and configure Auth App on their phone.

Alternatively, the entire service desk team would go through the logistics nightmare of communicating the QR code to the end-users.

Is there any way to configure SSO login for the users?
Is that possible to utilize configured 2FA as a first authentication method, if password login (since there's none) can not be used?

Any other possible approach to resolve the issue?

Thank you.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,532 questions
{count} votes

1 answer

Sort by: Most helpful
  1. James Hamil 23,061 Reputation points Microsoft Employee

    Hi @VickVega , so sorry for the delay in response. We were waiting for a response from the product team. Here is what I have received from our MFA SME:

    "The user portal requires some type of primary authentication. This can be to AD (which if the server is not joined then it would be the local users on the server), LDAP server, or Radius server. We need some way to authenticate the user to verify they are who they say they are to setup MFA. In addition without password it would not be MFA as the password (something you know) is the first factor.

    It's possible you could use the WebServicesSDK for this, but the phone activation is the big issue there as it takes them coding the QR creation and all of that from the data provided and would definitely need developers to do so and it’s unlikely they would be able to implement this and only the PG would be able to help them get this implemented."

    I'm sorry that there isn't a simpler answer for this. Unfortunately the best approach seems to be changing your initial setup. I can answer any questions you have though.

    If this answer helped you, please mark it as "Verified" so other users may reference it.

    Thank you,

    0 comments No comments