How can we improve Azure Active Directory?

Azure MFA synchronization between on premise and cloud

Hi. We are currently AAD Premium subscribers (via EMS) If I'm reading all current documentation correctly deploying a MFA server on premise would be completely independent of any Cloud based MFA registrations for O365 and other SSO apps. This results in a userbase needing to register with 2 different MFA servers and causing some confusion. It would be nice if the on premise MFA server could synchronize or even proxy requests to the cloud based MFA server so only 1 registration would be needed.

For example, user John Smith has 2FA turned on in the O365 cloud portal, and goes through registration. Now his fat clients need app passwords and web clients need 2FA. He sets everything up, installs the phone app, everything works as intended.

We want to use Azure MFA on premise as a Radius server to provide 2FA for our VPN solution. John Smith would need to register again with the on premise MFA server correct?

Note: There is no ADFS in our environment.

36 votes
Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)

We’ll send you updates on this idea

Michael B. shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

8 comments

Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)
Submitting...
  • Mike commented  ·   ·  Flag as inappropriate

    instead of syncing, is there an option to lift-shift from on prem Azure MFA Server to the Azure MFA cloud service? even if we had to dump a list of users with accounts in the cloud and then re-do them?

  • Dan Smith commented  ·   ·  Flag as inappropriate

    We feel that the Azure AD Team's initial response to this question is unacceptable.

    Our users interact with numerous Azure-based applications as well as on-premises applications which require MFA authentication. The lack of synchronization between on-premises MFA and Azure MFA is a critical gap in functionality.

  • AdminAzure AD Team (Product Manager, Microsoft Azure) commented  ·   ·  Flag as inappropriate

    Our recommended approach to this situation is to not install MFA Server on premise. You can install the MFA adapter for NPS, which will proxy RADIUS request to Azure MFA in the cloud. This will support VPN or other RADIUS needs on-premise. https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-nps-extension

  • PeterS commented  ·   ·  Flag as inappropriate

    LDAPs with MFA is a nice feature of MFA server. However as we're using lot's of cloud apps we need to use the Cloud MFA. To see both combined would be awesome!

  • ChrisB commented  ·   ·  Flag as inappropriate

    It would be good if there was a way to use MFA in the cloud for our on-premise MFA needs or use MIM to sync the information if it can't be done natively by allowing azure mfa to push registration info

  • Jake S. commented  ·   ·  Flag as inappropriate

    I would love to see this cloud radius. I don't want to have to create a FreeRadius on prem or Azure MFA on prem server when I am using azure ad basic or premium. I want to encourage SSO with the small business I consult and to allow them Windows 10 pro authentication, Office 365 Authentication, and Wireless Network Authentication all via the exact same username and password with everything being manged by O365 for username and password changes.

Feedback and Knowledge Base