Custom controls are a preview capability of the Azure Active Directory. When using custom controls, your users are redirected to a compatible service to satisfy authentication requirements outside of Azure Active Directory. To satisfy this control, a user's browser is redirected to the external service, performs any required authentication, and is then redirected back to Azure Active Directory. Azure Active Directory verifies the response and, if the user was successfully authenticated or validated, the user continues in the Conditional Access flow.
Duo's custom control for Microsoft Azure Active Directory Conditional Access provides strong secondary authentication to Azure Active Directory logons. Additionally, Duo's granular access policies and controls complement and extend the access controls in Azure.
Microsoft does not evaluate authentication with a custom control as part of a Conditional Access multifactor authentication claim requirement. Custom controls, like the Duo custom control for Azure CA, cannot satisfy a CA rule that requires "multifactor". Learn more about this Microsoft limitation for custom controls in the Azure Active Directory documentation.
Azure Government does not yet provide support for custom controls in Conditional Access. Therefore, the Duo Azure conditional access application is not available in Duo Federal plans. Be sure to review Azure Government's additional variations in Azure Active Directory Premium features.
Conditional Access cannot add third-party MFA for Office clients that do not support modern authentication, such as Office 2010. Microsoft relies upon modern authentication workflows to invoke Conditional Access policies, which in turn apply Duo's MFA custom control. You can use Conditional Access to block authentication from legacy Office clients that cannot support modern authentication. Please refer to How to: Block legacy authentication to Azure AD with Conditional Access to learn how to control access from these client applications.
Click Grant under "Access controls". To allow users access with Duo authentication, click on Grant access and check the box next to the RequireDuoMFA custom control you created in the previous steps. While you may choose to combine or require satisfying multiple controls before granting user access, this example simply adds the Duo authentication requirement to the new policy. Click Select when done.
If you want the Azure and Office applications you protect with Duo to have distinct Remembered Devices settings, or any other combination of Duo settings, you can create multiple Duo custom controls with different settings.
You may wish to create multiple Duo Conditional Access policies with unique Duo policy settings to apply to different Azure applications or users. The process of creating additional Duo custom controls in Azure is slightly different than creating the first one. You'll need to edit the custom control JSON text provided by Duo with some unique values before saving the new control.
By utilizing Azure Active Directory Conditional Access and Custom Controls, organizations can integrate their 3rd party MFA solution directly into the access controls to challenge access so customer, SaaS, and app published through Azure AD Application Proxy.
Other supported Multi-factor authentication providers should have a very similar process to go through with the key being the custom control. Bear in mind that Microsoft is continuously developing the capabilities of Azure Multi-factor authentication with native integration to Azure Active Directory. That native integration allows for advanced capabilities such as Password-less Sign On, which is not available for 3rd party Multi-factor authentication partner integrations.
you can see that the custom control is just JSON code that lays out the format of the request and a publicly accessible endpoint to send that request to. To get other MFA providers into the list the 3rd party MFA provider would need to work with the Microsoft Azure AD product group and provide that information, and then work to test and validate that it works. I would imagine that the PG works on providers based on end user demand and the commitment from that provider of resources to work on it. As far as HOW that relationship happens not sure but any vendor that is a MS Partner probably has established channels to make that happen.
SummaryIn summary, AzureSSO (enabled by the Azure Hybrid join process) will skip the 3rd party MFA custom control in conditional access at its leisure, and I cant figure out how to FORCE duo to prompt for workflows we require.
Recently, Microsoft added a function to Conditional Access called custom controls. Custom controls allow third-party integration into Conditional Access. This process involves having a registered application by the third party to be allowed globally by Microsoft and then providing OpenID Connect (OIDC) endpoints for use by the Azure customer to call out to the third party's authorization process.
Customers have told Microsoft that its current support for partner-built MFA solutions is "too limited," explained Alex Simons, corporate vice president of the Microsoft Identity Division. The current support itself is a preview where Microsoft extends "Conditional Access through custom controls," but that approach will get replaced, Simons explained:
Azure AD provides application integration capabilities for a variety of types of applications. For those where the publisher is Microsoft, no attribute release control is permitted. For those where the publisher is the organization, attribute release control is possible. For those where the publisher is a 3rd party, the 3rd party publisher defines the attributes required. For those 3rd party apps, if the app requires an account be provisioned to the 3rd party, the Azure AD admin can define custom attribute mappings (see -us/library/dn872469.aspx for more info).
Would like to see that we can integrate Advanced Authentication with Microsoft Azure Active Directory conditional access policies to add two-factor authentication to Azure Active Directory logons, complete with inline self-service enrollment but also the policies and controls from AA.I know that AA 6.x supports ADFS for SSO but that's not the request. Please read also the following documentation from Microsoft regarding Azure Conditional Access: -us/azure/active-directory/active-directory-conditional-access-controls#custom-controls-1 2b1af7f3a8