Getting started with Microsoft Entra multifactor authentication and Active Directory Federation Services
If your organization has federated your on-premises Active Directory with Microsoft Entra ID using AD FS, there are two options for using Microsoft Entra multifactor authentication.
- Secure cloud resources using Microsoft Entra multifactor authentication or Active Directory Federation Services
- Secure cloud and on-premises resources using Azure Multi-Factor Authentication Server
The following table summarizes the verification experience between securing resources with Microsoft Entra multifactor authentication and AD FS
| Verification Experience - Browser-based Apps | Verification Experience - Non-Browser-based Apps |
|---|---|
| Securing Microsoft Entra resources using Microsoft Entra multifactor authentication | |
| Securing Microsoft Entra resources using Active Directory Federation Services |
Caveats with app passwords for federated users:
- App passwords are verified using cloud authentication, so they bypass federation. Federation is only actively used when setting up an app password.
- On-premises Client Access Control settings are not honored by app passwords.
- You lose on-premises authentication-logging capability for app passwords.
- Account disable/deletion may take up to three hours for directory sync, delaying disable/deletion of app passwords in the cloud identity.
For information on setting up either Microsoft Entra multifactor authentication or the Azure Multi-Factor Authentication Server with AD FS, see the following articles: