If your organization has federated your on-premises Active Directory with Azure Active Directory using AD FS, the following 2 options for using Azure Multi-Factor Authentication are available.
- Secure cloud resources using Azure Multi-Factor Authentication or Active Directory Federation Services
- Secure cloud and on-premises resources using Azure Multi-Factor Authentication Server
The following table summarizes the authentication experience between securing resources with Azure Multi-Factor Authentication and AD FS
|Authentication Experience - Browser based Apps|Authentication Experience - Non-Browser based Apps :------------- | :------------- | :------------- | Securing Azure AD resources using Azure Multi-Factor Authentication |
Caveats with app passwords for federated users:
- App Password is verified using cloud authentication and hence bypasses federations. Federation is only actively used when setting up App Password.
- On-premises Client Access Control settings are not honored by App Password.
- You lose on-premises auth logging capability for App Password.
- Account disable/deletion may take up to 3 hours for dirsync, delaying disable/deletion of app password in the cloud identity.
For information on setting up either Azure Multi-Factor Authentication or the Azure Multi-Factor Authentication Server with AD FS see the following: