VMware Horizon Community
electricd7
Contributor
Contributor
‎09-09-2022 09:08 AM

Is it possible to use UAG with Microsoft Authenticator but to force users to enter code?

Hello-

 

We have a Horizon 2111 environment setup that uses a Unified Access Gateway Appliance v21.06.2 coupled with a connection broker for users to get external access.  I would like to be able to use 2FA on the Microsoft Authenticator app (we are O365 environment) but instead of PUSH for the second factor, I would rather the users have to enter the rolling code for 2nd factor. Is there a way to configure UAG/Horizon coupled with MS Auth to force this?  It currently works with PUSH, but management is asking for code entry enforcement as a way to bypass a user accidentally acknowledging a push and not paying attention to what they are doing.  Anyone doing this?  I know I can do with DUO but we use the MS app for literally every other service, so I would rather not involve a second vendor if there is a way to do it.  Thanks!

0 Kudos
3 Replies
Mickeybyte
Hot Shot
Hot Shot
‎09-11-2022 10:53 PM

Hi, @electricd7 

The 2FA options for the MS Authenticator will probably have to be configured on the MS side. You only link the UAG to the MS Logon process but how MS handles this is out of hands of the UAG. I don't know enough about the possible options of the MS Authenticator to tell you were exactly you have to do this, but it will be on the MS side. 

 


Regards,
Mickeybyte (ITPro blog)

If you found this comment useful or an answer to your question, please mark as 'Solved' and/or click the 'Kudos' button, please ask follow-up questions if you have any.
electricd7
Contributor
Contributor
‎09-13-2022 10:30 AM

OK, I can look into that.  Does UAG support the "ask for code" method such that on 2FA it asks for the code rather than making the user enter username@domain.com,123456 (where 123456 is the 2FA rolling code?) 

 

 

0 Kudos
Mickeybyte
Hot Shot
Hot Shot
‎09-14-2022 06:30 AM

@electricd7 

The easiest way is to create a SAML application in AzureAD and configure that as an IDP on your UAG. Every user that arrives on the UAG is automatically redirected to the MS login page and once authenticated, the user is redirected back to the Horizon infrastructure. 

To ensure an SSO experience for the user, configure TrueSSO (part of Horizon) otherwise users will have to enter their AD credentials again before accessing their VDI or published application. (I've written a blog post on how to setup this up with AzureAD: VMware Horizon authentication using AzureAD (with multifactor) – MickeyByte IT Pro Blog)

 


Regards,
Mickeybyte (ITPro blog)

If you found this comment useful or an answer to your question, please mark as 'Solved' and/or click the 'Kudos' button, please ask follow-up questions if you have any.
0 Kudos