Azure AD + 3rd party MFA = Azure AD Custom Controls

  • Article

 

During Microsoft Ignite there were lots of announcements across a variety of Microsoft offerings including Azure Active Directory.

An interesting feature was released in preview called Custom Controls. Custom Controls allow integration of 3rd party security solutions and in this case, 3rd party multi-factor authentication providers.

I speak with many organizations throughout the year and although many of them are utilizing Azure Active Directory MFA, there are some that either require or prefer to utilize their investment in their current MFA solution.  So the question I’m often asked is, “does Azure AD support 3rd party MFA?”, we’ll I’m happy to say, yes it does.

By utilizing Azure Active Directory Conditional Access and Custom Controls, organizations can integrate their 3rd party MFA solution directly into the access controls to challenge access so customer, SaaS, and app published through Azure AD Application Proxy.

Requirements

  • Azure Active Directory Premium
  • 3rd party MFA solution such as Duo, RSA, and/or Trusona

Creating a custom control

To create a custom control, navigate to portal.azure.com and select Azure Active Directory

Select Conditional Access and then “Custom controls”

clip_image001

 

Next select “New custom control” at the top of the page

clip_image002

 

We’re now asked to paste in JSON for the control. This information provides the details about the 3rd party MFA provider. For example, I have DUO configured and my JSON is below:

Please review instructions your 3rd party MFA provider has published on how to access the JSON to integration with Azure AD.

 

clip_image004

 

Once the custom control for the 3rd party MFA is added, go back to the conditional access policies and create a policy to that will utilize the custom control.

Under Conditional Access select policies and “New policy”:

clip_image005

 

I configured a conditional access policy to use Duo with my Intranet app that is published through the Azure AD Application Proxy. Now I could have simply checked Azure MFA, however the purpose of this post is to demonstrate 3rd party MFA integration.

clip_image006

 

Let’s see it in action

AzureADandDuo

 

To learn more about Custom Controls please see: /en-us/azure/active-directory/active-directory-conditional-access-controls#custom-controls