What 2FA does not cover in the Microsoft ecosystem

Last updated: August 11, 2022

This document is intended to explain what Microsoft products, services, and applications don’t benefit from having UW MFA for the web enabled.


Enabling ‘UW Duo 2FA for the web’ provides an additional security control to help mitigate the risk of UW NetID password compromise. Enabling ‘UW Duo 2FA for the web’ does not mitigate all scenarios where a UW NetID is used.

It generally only covers scenarios where the UW identity provider (idp.washington.edu) or Azure AD are providing the authentication for the web application. However, there are some scenarios with Azure AD authentication that are not covered. The scenarios that are not covered are because the client application does not support modern authentication protocols for the web. In many cases, you can update your client application or change to an alternative client application to be covered. At some point in the future, we expect non-modern authentication to be blocked.

Note: If you want to enable 2FA for non-web scenarios that involve Microsoft products, there may be other solutions available. For example, you can require Duo to log on to a Windows computer. Email help@uw.edu to find out more.

How do I know whether a web application uses Azure AD for authentication?

When you go to the application, if it sends you to a Microsoft sign in page, it is likely using Azure AD for authentication. That Microsoft sign in page will look like this:

If you generally enter myUwNetId@uw.edu into that page, then it is definitely Azure AD. If you enter some other username, then it may be a Microsoft account, i.e. a consumer account not associated with the UW.

What client applications are known to not use modern authentication protocols?