Getting started with Microsoft Entra multifactor authentication and Active Directory Federation Services
If your organization has federated your on-premises Active Directory with Microsoft Entra ID using AD FS, there are two options for using Microsoft Entra multifactor authentication.
- Secure cloud resources using Microsoft Entra multifactor authentication or Active Directory Federation Services
- Secure cloud and on-premises resources using Azure Multifactor Authentication Server
The following table summarizes the verification experience between securing resources with Microsoft Entra multifactor authentication and AD FS
| Verification Experience - Browser-based Apps | Verification Experience - Non-Browser-based Apps |
|---|---|
| Securing Microsoft Entra resources using Microsoft Entra multifactor authentication | |
| Securing Microsoft Entra resources using Active Directory Federation Services |
Caveats with app passwords for federated users:
- App passwords are verified using cloud authentication, so they bypass federation. Federation is only actively used when setting up an app password.
- On-premises Client Access Control settings aren't honored by app passwords.
- You lose on-premises authentication-logging capability for app passwords.
- Account disable/deletion may take up to three hours for directory sync, delaying disable/deletion of app passwords in the cloud identity.
For information on setting up either Microsoft Entra multifactor authentication or the Azure Multifactor Authentication Server with AD FS, see the following articles: