Hello-
We have a Horizon 2111 environment setup that uses a Unified Access Gateway Appliance v21.06.2 coupled with a connection broker for users to get external access. I would like to be able to use 2FA on the Microsoft Authenticator app (we are O365 environment) but instead of PUSH for the second factor, I would rather the users have to enter the rolling code for 2nd factor. Is there a way to configure UAG/Horizon coupled with MS Auth to force this? It currently works with PUSH, but management is asking for code entry enforcement as a way to bypass a user accidentally acknowledging a push and not paying attention to what they are doing. Anyone doing this? I know I can do with DUO but we use the MS app for literally every other service, so I would rather not involve a second vendor if there is a way to do it. Thanks!
Hi, @electricd7
The 2FA options for the MS Authenticator will probably have to be configured on the MS side. You only link the UAG to the MS Logon process but how MS handles this is out of hands of the UAG. I don't know enough about the possible options of the MS Authenticator to tell you were exactly you have to do this, but it will be on the MS side.
OK, I can look into that. Does UAG support the "ask for code" method such that on 2FA it asks for the code rather than making the user enter username@domain.com,123456 (where 123456 is the 2FA rolling code?)
The easiest way is to create a SAML application in AzureAD and configure that as an IDP on your UAG. Every user that arrives on the UAG is automatically redirected to the MS login page and once authenticated, the user is redirected back to the Horizon infrastructure.
To ensure an SSO experience for the user, configure TrueSSO (part of Horizon) otherwise users will have to enter their AD credentials again before accessing their VDI or published application. (I've written a blog post on how to setup this up with AzureAD: VMware Horizon authentication using AzureAD (with multifactor) – MickeyByte IT Pro Blog)