Active Directory Domain controller services(on prem) +SSO +MFA

ARCHANA PILLAI 1 Reputation point
2022-08-08T12:37:05.477+00:00

Hi

We have a local environment on win 2012 R2 which has ACtive directory domain services. I wanted to ask , which of these services support MFA
Does Active directory domain services/controller support MFA/SSO. Or Does any other existing service (without azure AD) on an on prem support MFA from below image
229079-image.png

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,418 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,338 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Pierre Audonnet - MSFT 10,181 Reputation points Microsoft Employee
    2022-08-09T13:03:26.433+00:00

    Not sure if what's you're looking for but...

    If you are looking at ways to use MFA to open a session on a Windows 10 or 11 machines using more than just a password, there are three supported methods:

    1. Smartcard (as suggested by @Philippe Levesque ). The user uses a PIN and its smartcard to open a session. It will require you to deploy a PKI and users will needs needs the smartcard as well as a physical reader attached to their device. It's a bit legacy but that sill works.
    2. Windows Hello for Business, the user uses biometrics, and/or a PIN to open a session. Although there are ways to make it work for independently of Azure AD the recommended deployments will require the user to be synchronized in Azure AD and have an MFA method register on the account.
    3. FIDO2, the user uses a FIDO key to open a session. Like for Windows Hello for Business, it will require the user to be synchronized in Azure AD.

    Although it can be challenging to configure, you can set your account to log in only with those methods.

    You can also protect On-Premises applications with Azure AD MFA. Again, assuming your identities are synched in Azure AD and have MFA. Using Azure AD Application Proxy, you can public application externally but also just integrate with Azure AD. Essentially your application becomes visible in Azure AD and you can trigger MFA based on Conditional Access Policies. That requires the users to use the correct URL to access the app though. And that's not MFA handled by the on-prem AD, it's MFA for the applications. So in that case AD doesn't know what's happening (unlike the 3 methods suggested above). But sometimes what you need is MFA when you access the data, so it might fit the bill.

    If you are looking at ways to do MFA for VPN (or anything using RADIUS) you can use the Azure AD MFA Adapter for NPS. But now the recommendation is to integrate the VPN clients/servers directly with Azure AD (check the guide here and look for your remote access product) to get the MFA and other security features (such as Conditional Access Policies).

    Then you have third-party products allowing you to integrate with Windows in different ways. I'll let the community chime in on those :)

    2 people found this answer helpful.
    0 comments No comments

  2. Philippe Levesque 5,796 Reputation points
    2022-08-08T13:22:07.447+00:00

    Hi

    From base only Azure AD support configuring MFA. On prem you can add a layer of security by adding smartcard authentification, but you can't out of the box use MFA. Some external service exist to offer your MFA for your on prem AD, but you must register to service like duo, or any other. (*I'am not affiliated with that service, but I stated it because it's a well know one)

    0 comments No comments

  3. ARCHANA PILLAI 1 Reputation point
    2022-09-26T11:21:30.967+00:00

    Hi Team

    244841-image.png

    Our requirement is our internal VM where application may or may not have internet but can talk to internal AD and AD system might have internet.
    So we want to push SSO /MFA to ID provider that might be on AD DS on prem system or may be on same system and that will handle SSO with MFA.

    I see application proxy will require our system to connect to cloud directly but is it possible that our on prem application can connect to SSO/MFA through our internal AD which may or may not talk to azure AD

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.