Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Visitor 1

MFA for SPLA Partners

Hello everybody,


don't know if i'm in the right place to ask this, but i didn't found a better place.


We are a SPLA Partner and tried to use the Microsoft MFA for our customers in a non azure environment (IaaS in a different Data Center). Actually my state of knowledge is, that there's no way to do this in the known way, by managing and billing over us to the customer.


Is that correct and do we have to use a third party solution? Can't believe that...


Thanx in advance for your help,




Might be a bit late, but wanted to make sure you at least get an answer.


Generally Azure MFA can only be obtained with AzureAD Premium PLan1 (and other SKUs that include this plan) or as a feature of Azure AD B2C.

However, for AzureAD Premium Plan1 and other user-based Azure services like "Azure Information Protection" there are no hosting rights (different to other Azure usage-based services)  - meaning that you can not get licenses for this yourself, integrate it in a hosting offering and then sell this hosting offering to end customers. The only option that is possible is that customer gets those licenses directly.


So, my suggestion would be to also act as CSP Reseller - so you can provision AAD P1 licenses for the end customer (provision tthose licenses directly in the end customers own tenant), deploy the services - and, if you are Direct CSP Partner, you can provide the customer with a consolidated bill on licenses & services/integration - and also you can manage all apsects since as CSP you have automated delegated admin permissions on the customer tenant you provision for this. So from customer perspective he still gets a complete solution from a single Partner while technically the model differs a bit from SPLA since now the customer is licensing the products and not the SPLA Partner.


Note that is technically also required that each customer gets their own AzureAD tenant when using AzureMFA & their own AzureAD connect instance for siycing local AD to AzureAD. For integration in a IaaS solution the only direct option would be to use the Azure MFA extension for NPS (RADIUS) - for web-based apps I would recommend to use AzureAD App Proxy to integrate the app into the customers AzureAD and also to provide secure access to the app - AzureMFA ist just a feature you can enable for the AzureAD user account.

Level 1 Contributor

May I hop in and ask for clarification on this?

We have a hosting environment with SPLA and offer hosted exchange and RDS farm with 1 active directory, one we manage. Single sign on, etc.  Could we not offer MFA for our clients since we only would need a single ad sync for the users? Therefor the billing would be to us alone anyway.  We are mainly looking for 2 factor login honestly. 
sorry to hop on someone else's thread but I just wanted to clarify it. We are not looking to since multiple AD environments - only our own (it just happens to have clients included). 


Unfortunately this is not possible (not allowed) for the reasons I outlined above. Azure MFA is only available within Azure AD Premium Plan1, and there are no hosting rights associated to this type of license. Of course as a hosting Partner you can use AAD Premium P1 to protect your own accounts with MFA, but you can not obtain licenses youself to provide the AAD P1 features for your end customer users. 


Level 1 Contributor

Based on the licensing, you mentioned a CSP model. Could we not provision a client with their own AADp1, the AD connector could point back to the OU specifically that client? So in regards to we become a reseller, sell the client the as mentioned above. The AD connector could be set to only read that OU which would only be that tenants logins. The clients OU is restricted and can't read outside the OU therefor that AD connector would only see their info.

I'm just trying to find a way we COULD use it and also maintain licensing that is acceptable to MS/Azure and also the client. We don't have any issues with reselling it "properly" I just have to find a way to make it work as needed.

Eric Fuller Senior Systems Engineer

8740 Orion Place, Suite 300, Columbus, OH 43240
P: 614-401-8800 www.maxtechagency.com
Level 1 Contributor

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

We have a multi-tenant Exchange and RDS farm wrapped around AD with all clients separated by OUs. There are only three user accounts in AD that have access to all OUs and each OU has explicit deny statements in them. 

We house some medical clients and need to be able to run MFA for rds gateway access. First rule would be “static ip “ and if it’s trusted and if not then prompt for SMS code, etc.  my boss has looked at Duo but for whatever reason he doesn’t like it. Since
we are a MS partner we were looking into a way to leverage an MS offering. 


Eric Fuller Senior Systems Engineer



Never have done such a setup, but I guess you would probably need multiple RDS Gateway servers (at least one for each customer) since afaik there is only one AzureAD tenant that can be entered in the configuration for the MFA NPS Extension




Needless to say it would be far easier if they would use Windows Virtual Desktop in Azure, since then MFA/Conditional Access would be baked in. I guess you would need to do some testing if this can work for you.



Yes, if you set up a distinct tenant for each customer and provision AAD P1 licenses for the customer in this tenant, this is allowed. AAD Connect can be set up with filtering rules to only sync certain users to this tenant. The customer could then use MFA when accessing cloud services - I do not see how to leverage MFA foir an on-premises access though. Any specific scenario you want to allow with AAD premium for the customer in the hosted on-premises environment?