Edit

Getting started with Azure AD Multi-Factor Authentication and Active Directory Federation Services

  • Article
  • 2 minutes to read

Azure AD MFA and ADFS getting started

If your organization has federated your on-premises Active Directory with Azure Active Directory using AD FS, there are two options for using Azure AD Multi-Factor Authentication.

  • Secure cloud resources using Azure AD Multi-Factor Authentication or Active Directory Federation Services
  • Secure cloud and on-premises resources using Azure Multi-Factor Authentication Server

The following table summarizes the verification experience between securing resources with Azure AD Multi-Factor Authentication and AD FS

Verification Experience - Browser-based Apps Verification Experience - Non-Browser-based Apps
Securing Azure AD resources using Azure AD Multi-Factor Authentication
  • The first verification step is performed on-premises using AD FS.
  • The second step is a phone-based method carried out using cloud authentication.
    		•
    Securing Azure AD resources using Active Directory Federation Services
  • The first verification step is performed on-premises using AD FS.
  • The second step is performed on-premises by honoring the claim.
    		•

    Caveats with app passwords for federated users:

    • App passwords are verified using cloud authentication, so they bypass federation. Federation is only actively used when setting up an app password.
    • On-premises Client Access Control settings are not honored by app passwords.
    • You lose on-premises authentication-logging capability for app passwords.
    • Account disable/deletion may take up to three hours for directory sync, delaying disable/deletion of app passwords in the cloud identity.

    For information on setting up either Azure AD Multi-Factor Authentication or the Azure Multi-Factor Authentication Server with AD FS, see the following articles: