Per-application 2FA with Entra ID

Last updated: November 15, 2023
Audience: IT Staff / Technical

This page discusses the support and request process for requiring Duo 2FA for an Entra ID application.

How to Request

Please send a request to help@uw.edu with a subject of “Entra ID Conditional Access policy”. Please include the application name and appId if you have it. In many cases we will need a list of the affected users too.

Limitations

If you own the Entra ID application, fulfillment is generally quick, because as the application owner, you have authority to set the access controls to your application.

If, however, you do not own the Entra ID application, fulfillment may take more time, and involve more maintenance overhead in the future. Since you do not have authority for access controls for the application, we either need to identify who is and work with them, or we have to act as a broker on behalf of the university. We need to prevent situations where you tell us to require 2FA for an application for a user, but that user’s use of the application isn’t limited to your business needs. Here are a couple examples to illustrate:

  • Windows Virtual Desktop would be an example of an application which is shared and does not have a UW owner. You may have a WVD tenant, but you share the Entra ID applications which are used to control 2FA policy. UW-IT must act as a broker for this application, and carefully analyze the details of your request to ensure that users of other WVD tenants are not adversely impacted.
  • Exchange Online is an application that is owned by UW-IT’s Microsoft Collaborative Applications (MSCA) service offering. You may want to require 2FA with Exchange Online for some definition of your users. We’ll need to work with MSCA to determine whether your request can proceed. You should also note that there are some non-web-based ways to access Exchange Online which do not require 2FA. Whether those methods can be restricted or not will again be something we’d need to work with MSCA on.

More Info

Behind the scenes, we are using Microsoft’s Conditional Access policy capability to deliver application-based 2FA. Conditional Access (CA) is a powerful feature that allows security controls to be enforced at the time an access token is requested based on a variety of conditions. This power also can lead to significant unexpected impacts, so we have to exercise judicious management to prevent undesirable outcomes. This means we may ask a lot more questions, track all CA policies, and have slightly onerous practices when it comes to future changes. We hope you’ll understand that we are exercising greater caution in an effort to protect everyone.