We come across the scenario quite often when customers want to leverage Microsoft Authenticator when using Workspace ONE UEM and/or Horizon.
In this blog, I'd like to go through the various options and outline the user experience with each of the options.
The main uses case we see are:
- Microsoft MFA for Horizon Desktop
- Microsoft MFA for SaaS Applications federated directly with Workspace ONE.
- Microsoft MFA for Device Enrollment in Workspace ONE UEM
- Microsoft MFA for SaaS Applications federated with Azure AD.
There are 3 integration options that you can consider to integrate Microsoft Authenticator with Workspace ONE.
Azure AD as a 3rd Party IdP in Workspace ONE
In this option, the following needs to be configured:
- Azure AD configured as a 3rd Party IdP in Workspace ONE
- Workspace ONE configured as an enterprise app in Azure
- Conditional Access Policy Configured in Azure AD to require Microsoft Authenticator for the Workspace ONE Application.
Lets walk through the authentication flow in this option:
- The user will access their Horizon Desktop (or any application that is federated directly with Workspace ONE).
Note: Office 365 can NOT be federated with Workspace ONE in this scenario - The application will send a SAML Authentication Request to Workspace ONE
- Assuming the access policy in Workspace ONE is configured for Azure Authentication, the user will be redirected to Azure AD.
- The user will enter their email address.
- Assuming the domain is not currently federated with another IdP, Azure will prompt the user to enter their password.
- Azure conditional access policies will then trigger for Microsoft MFA.
- The user will be returned to Workspace ONE and subsequently authenticated to Horizon. (Note: Horizon should be configured with TrueSSO for optimal user experience).
Workspace ONE as a Federated Domain in Azure AD
In this option, the following needs to be configured:
- Azure domain must be federated to Workspace ONE
- Conditional Access Policy Configured in Azure AD to require Microsoft Authenticator for the Workspace ONE Application.
- Mobile SSO/Certificate Authentication Configured in Workspace ONE
Lets walk through the authentication flow in this option:
- The user will access Office 365 (or any application federated with Azure AD).
- The user will enter their email address.
- The user will be redirected to Workspace ONE
- Workspace ONE will authenticate the user using Mobile SSO, Certificate or some other authentication mechanism (as well as checking device compliance).
- Workspace ONE will respond with a successful response back to Azure AD.
- Azure conditional access policies will then trigger for Microsoft MFA.
- The user will be successfully authenticated into Office 365 (other other Azure federated application).
Workspace ONE with Microsoft Azure MFA Server
In this option, the following needs to be configured:
- Azure MFA Server downloaded and installed on premises.
- Workspace ONE Connector installed on premise.
- Workspace ONE configured as a radius client in Azure MFA Server
Lets walk through the authentication flow in this option:
- The user will access any application federated with Workspace (or Horizon/Citrix application).
- Workspace ONE will prompt for their username/password
- After clicking "Sign-In", a radius call via the connector will be made to the Microsoft Azure MFA Server
- The MFA server will push a notification to the device to approve the request: