Azure AD 2FA authentication

Last updated: January 30, 2023
Audience: All UW

The Azure AD domain supports two 2FA providers: Duo and Azure MFA. In all scenarios, this only covers web-based methods.

Duo is the primary 2FA provider at the UW and the default choice with Azure AD. Azure MFA is ONLY in limited scenarios, including Azure AD only user accounts or for unique scenarios where another Azure AD tenant requires Azure MFA to access resources in that tenant.

Here are the options for 2FA with Azure AD:

  1. For Personal UW NetIDs: On a per-user basis, you can enable Duo with Azure AD, via ‘Opt in to use 2FA on the Web’. This will enable 2FA for all web applications that use Azure AD for authentication.
  2. For Admin UW NetIDs, you can enable via a special opt-in process.
  3. On a per-application basis, you can require Duo.

The typical sign-in experience for a UW Azure AD user account with Duo 2FA enabled is detailed here.

Enabling ‘UW Duo 2FA for the web’ does not cover all experiences in the Microsoft ecosystem–read this doc for more.

NOTE: Users are recommended to NOT enable Azure MFA on their account by adding Additional Verification unless they are in one of the scenarios noted. If you do, you may end up with issues that block future sign-ins and requires UW-IT intervention. The Microsoft Authenticator App is the primary client for Azure MFA, so if you are directed to use it, you are likely in the wrong place. If you want to enable 2FA on your user account, use the enable Duo 2FA for the Web option.