MFA for SPLA Partners
don't know if i'm in the right place to ask this, but i didn't found a better place.
We are a SPLA Partner and tried to use the Microsoft MFA for our customers in a non azure environment (IaaS in a different Data Center). Actually my state of knowledge is, that there's no way to do this in the known way, by managing and billing over us to the customer.
Is that correct and do we have to use a third party solution? Can't believe that...
Thanx in advance for your help,
Might be a bit late, but wanted to make sure you at least get an answer.
Generally Azure MFA can only be obtained with AzureAD Premium PLan1 (and other SKUs that include this plan) or as a feature of Azure AD B2C.
However, for AzureAD Premium Plan1 and other user-based Azure services like "Azure Information Protection" there are no hosting rights (different to other Azure usage-based services) - meaning that you can not get licenses for this yourself, integrate it in a hosting offering and then sell this hosting offering to end customers. The only option that is possible is that customer gets those licenses directly.
So, my suggestion would be to also act as CSP Reseller - so you can provision AAD P1 licenses for the end customer (provision tthose licenses directly in the end customers own tenant), deploy the services - and, if you are Direct CSP Partner, you can provide the customer with a consolidated bill on licenses & services/integration - and also you can manage all apsects since as CSP you have automated delegated admin permissions on the customer tenant you provision for this. So from customer perspective he still gets a complete solution from a single Partner while technically the model differs a bit from SPLA since now the customer is licensing the products and not the SPLA Partner.
Note that is technically also required that each customer gets their own AzureAD tenant when using AzureMFA & their own AzureAD connect instance for siycing local AD to AzureAD. For integration in a IaaS solution the only direct option would be to use the Azure MFA extension for NPS (RADIUS) - for web-based apps I would recommend to use AzureAD App Proxy to integrate the app into the customers AzureAD and also to provide secure access to the app - AzureMFA ist just a feature you can enable for the AzureAD user account.
May I hop in and ask for clarification on this?
We have a hosting environment with SPLA and offer hosted exchange and RDS farm with 1 active directory, one we manage. Single sign on, etc. Could we not offer MFA for our clients since we only would need a single ad sync for the users? Therefor the billing would be to us alone anyway. We are mainly looking for 2 factor login honestly.
sorry to hop on someone else's thread but I just wanted to clarify it. We are not looking to since multiple AD environments - only our own (it just happens to have clients included).
Unfortunately this is not possible (not allowed) for the reasons I outlined above. Azure MFA is only available within Azure AD Premium Plan1, and there are no hosting rights associated to this type of license. Of course as a hosting Partner you can use AAD Premium P1 to protect your own accounts with MFA, but you can not obtain licenses youself to provide the AAD P1 features for your end customer users.
I'm just trying to find a way we COULD use it and also maintain licensing that is acceptable to MS/Azure and also the client. We don't have any issues with reselling it "properly" I just have to find a way to make it work as needed.
Eric Fuller Senior Systems Engineer
MAXtech WHERE TECHNOLOGY LIVES.
8740 Orion Place, Suite 300, Columbus, OH 43240
P: 614-401-8800 www.maxtechagency.com
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
We have a multi-tenant Exchange and RDS farm wrapped around AD with all clients separated by OUs. There are only three user accounts in AD that have access to all OUs and each OU has explicit deny statements in them.
we are a MS partner we were looking into a way to leverage an MS offering.
Eric Fuller Senior Systems Engineer
Never have done such a setup, but I guess you would probably need multiple RDS Gateway servers (at least one for each customer) since afaik there is only one AzureAD tenant that can be entered in the configuration for the MFA NPS Extension
Needless to say it would be far easier if they would use Windows Virtual Desktop in Azure, since then MFA/Conditional Access would be baked in. I guess you would need to do some testing if this can work for you.
Yes, if you set up a distinct tenant for each customer and provision AAD P1 licenses for the customer in this tenant, this is allowed. AAD Connect can be set up with filtering rules to only sync certain users to this tenant. The customer could then use MFA when accessing cloud services - I do not see how to leverage MFA foir an on-premises access though. Any specific scenario you want to allow with AAD premium for the customer in the hosted on-premises environment?