none
MIM SSPR and Azure MFA prerequisites? RRS feed

  • Question

  • Hi,

    Busy reading on how to enable on-prem MIM 2016 SSPR SMS/Phone Gate to use Azure MFA - https://docs.microsoft.com/en-us/microsoft-identity-manager/deploy-use/working-with-self-service-password-reset

    The article does not mention anything about whether it is required that the user identities also exist in Azure AD, via AADConnect.

    So based on this article, I dont need any Azure identities for this SSPR Azure MFA solution to work then? Is that correct?

    Thank you,

    SK

    Monday, October 3, 2016 2:07 AM

Answers

  • You'll want to create a per-authentication MFA provider. This will bill against your Azure Monetary Credit (or on a credit card every month if it's that type of subscription).


    Thanks,
    Brian

    Consulting | Blog | AD Book

    • Marked as answer by Shim Kwan Sunday, October 9, 2016 8:48 PM
    Monday, October 3, 2016 11:30 PM
    Moderator
  • That's correct - Azure MFA is used only to check if user would pick a call made on particular number, user can exist only in local directory.

    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    • Marked as answer by Shim Kwan Monday, October 3, 2016 7:59 PM
    • Unmarked as answer by Shim Kwan Monday, October 3, 2016 8:00 PM
    • Marked as answer by Shim Kwan Sunday, October 9, 2016 8:48 PM
    Monday, October 3, 2016 1:47 PM
  • you can use the same Azure MFA provider if you wish.

    Microsoft states to use "per enabled user" but it is not the case here - users won't be "enabled" in cloud if you use only local AD for example. That's why it is better to use per-auth in this case.


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    • Marked as answer by Shim Kwan Sunday, October 9, 2016 8:49 PM
    Friday, October 7, 2016 12:24 PM

All replies

  • That's correct - Azure MFA is used only to check if user would pick a call made on particular number, user can exist only in local directory.

    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    • Marked as answer by Shim Kwan Monday, October 3, 2016 7:59 PM
    • Unmarked as answer by Shim Kwan Monday, October 3, 2016 8:00 PM
    • Marked as answer by Shim Kwan Sunday, October 9, 2016 8:48 PM
    Monday, October 3, 2016 1:47 PM
  • Great news, thanks Dominik - how does this affect licensing? Is Azure Premium required?
    • Edited by Shim Kwan Monday, October 3, 2016 8:00 PM
    Monday, October 3, 2016 7:59 PM
  • You'll want to create a per-authentication MFA provider. This will bill against your Azure Monetary Credit (or on a credit card every month if it's that type of subscription).


    Thanks,
    Brian

    Consulting | Blog | AD Book

    • Marked as answer by Shim Kwan Sunday, October 9, 2016 8:48 PM
    Monday, October 3, 2016 11:30 PM
    Moderator
  • Thanks Brian - you've stated to use the "per authentication" model, however...

    Microsoft states to use the "per enabled user" model https://docs.microsoft.com/en-us/microsoft-identity-manager/deploy-use/working-with-self-service-password-reset

    Secondly - if the company already has a MFA provider for something else, I can create a new one for SSPR?

    Wednesday, October 5, 2016 8:45 PM
  • you can use the same Azure MFA provider if you wish.

    Microsoft states to use "per enabled user" but it is not the case here - users won't be "enabled" in cloud if you use only local AD for example. That's why it is better to use per-auth in this case.


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    • Marked as answer by Shim Kwan Sunday, October 9, 2016 8:49 PM
    Friday, October 7, 2016 12:24 PM
  • thank you guys!
    Sunday, October 9, 2016 8:48 PM