Adding non-listed 3rd Party MFA via Azure AD Custom Controls
How do you get an MFA Server on the list, as at present it seems to be restricted to RSA, Duo and Trusona. Or when will you open up support for the general MFA providers, and/or provide the information that will allow another vendor to integrate in the same fashion.
We have a very large customer we are working on with their whole of Staff UAM 2FA upgrade. They are looking at both on-premise and cloud options, but require the 2FA to be on-premise. Azure's approach with ADFS will be restrictive as compared to AWS and GCP's approach, especially as the incumbent 2FA solution supports standards and pseudo standards (OIDC, OAuth 2.0, RADIUS, LDAP and API's).
Beheer_Edwin van de Breevaart commented
We are looking for a way to connect to our third party MFA provider.
As is understand, Custom Controls does not onboard any new providers unfortunatly.
In march Microsoft mentioned to be working on a solution.
We would like to know if there is a time-line/ATA for this replacement product since we are really waiting for this.
MFA with the Microsoft Authenticator does not cut is for us, because there is no visual verification needed to enable this type of MFA.
As far as I know, we are not alone in this.
Emanuel Galea commented
We need this feature in our IAM product as our customer wamts to move to azure.
Why do Azure needs a special API to support 3rd party MFA.
What about Azure just redirect the authentication to an OpenId provider?
Kalyan Krishna commented
We evaluate and qualify a curated list of providers who can develop custom controls for Azure AD. You can email "Custom authentication factors onboarding <email@example.com>" to add your organization in the waiting list.
Currently we have this capability in preview mode and we have a lot of great feedback from customers on improvements to be made here. Hence the preview is currently closed to new partners.
However, we are actively working on a plan to incorporate feedback and also create a scalable process to onboard more partners.
Is there any update on this feature request?
If you look at the 2017 article that first announced the capability https://blogs.technet.microsoft.com/cbernier/2017/10/16/azure-ad-3rd-party-mfa-azure-ad-custom-controls/
you can see that the custom control is just JSON code that lays out the format of the request and a publicly accessible endpoint to send that request to. To get other MFA providers into the list the 3rd party MFA provider would need to work with the Microsoft Azure AD product group and provide that information, and then work to test and validate that it works. I would imagine that the PG works on providers based on end user demand and the commitment from that provider of resources to work on it but this is not something that MS can provide independently and frankly it seems the 3rd party provider has most of the work. As far as HOW that relationship happens not sure but any vendor that is a MS Partner probably has established channels to make that happen.
If there is a particular MFA provider I would suggest you call that vendor and put pressure on them to work with Azure AD.
We'd like to use the custom controls for our own software as well.
Any update on this?
We would also very much like to integrate our MFA solution (OpenOTP) to Azure AD with Custom Controls. This is critical for some of our customers and could prevent the use of Azure AD.
Emanuel Galea commented
Sure a standard Custom Control API is definitely required. Our product doubleclue.com offers a variate of MFA methods and supports AWS, Google cloud, ADFS etc. But not Azure AD. We would be glad to be implement a custom control for azure AD
Kelly Soarks commented
A standard Custom Control API for 3rd Party MFA solutions would make more sense than doing a limited number of one off integrations like what MSFT has now. The current limitations on Custom Control vendor support doesn’t really add up. Please open this API up to enable more custom control providers.
looking forward to this!