Microsoft 365 MFA: Simplify on-premises management

Starting February 2026, Microsoft will require multi-factor authentication (MFA) for Microsoft 365 admin center access. But what about everyone else?

Microsoft's new MFA requirement applies only to users accessing the Microsoft 365 admin center. While that's a necessary move, it doesn't go far enough. Securing all access to Microsoft 365, admin or not, is essential for thwarting today's attacks. It's also a common compliance requirement.

For organizations built around on-premises Active Directory (AD), implementing MFA across SaaS and network access isn't always simple. Hybrid environments bring complexity, especially when not all MFA platforms support both worlds.

That's where UserLock comes in. It bridges the gap between on-premises AD and Microsoft 365, retaining AD as the primary identity store. This makes hybrid MFA simpler, and gives IT control over identity infrastructure.

Today, many organizations are stuck between two worlds: on-premises and cloud. This hybrid setup adds complexity, especially when it comes to implementing MFA.

Active Directory remains the backbone for many environments, but Microsoft 365 lives in the cloud. This means organizations need to secure access across two very different identity systems.

• On one end of the spectrum are organizations moving fully to the cloud.

• On the other are those committed to on-prem for security or regulatory reasons, or simply to support legacy apps that can't be migrated.

But most businesses land in the middle. They've adopted SaaS apps like Microsoft 365 while maintaining on-prem AD.

Why does this make MFA implementation tricky?

Few organizations today can (or want to) avoid the cloud completely. The use of cloud software-as-a-service (SaaS) platforms such as Microsoft 365 forces IT teams to find a way to integrate these services within an on-premises setup.

It's rarely straightforward. On-premises Microsoft environments are designed to work with the local Active Directory (AD) directory service at their core.

It follows that on-premise MFA and access controls are enforced using the on-premises Active Directory identity.

Microsoft 365, by contrast, is oriented towards the cloud directory, Entra ID (formerly Azure AD). In cloud land, MFA and access controls are enforced using the Microsoft Entra ID identity.

Any organization wanting to preserve on-premises systems while using SaaS applications must work out how to integrate two different environments.

Managing and securing both means more management overhead, more moving parts, and often duplicate solutions to implement the same control in each world.

Aware of this issue, Microsoft offers two main ways to connect on-prem AD with Microsoft 365:

• Active Directory Federated Services (AD FS): A legacy solution for federated identity, often seen as complex and costly.

• Microsoft Entra Connect: A newer option, formerly Azure AD Connect, oriented towards cloud and SaaS integration with Microsoft Entra ID.

Both tools let you use your on-prem AD credentials for Microsoft 365, but they also come with tradeoffs.

Compounding this confusion is that by default Microsoft 365 (hosted in the cloud) assumes you'll use Microsoft Entra ID for identity and access management (IAM). That introduces three big challenges for primarily on-prem environments.

• Loss of control: Using Entra ID is a non-starter for any organization that wants to retain control over IAM.

• Internet dependencies: Adopting Entra ID as an IAM system requires (or rather, assumes) that all computers authenticating via Entra ID always have Internet connectivity, which is difficult to guarantee in some environments.

• Legacy app compatibility: Legacy apps tied to AD may not work well with Entra ID.

The whole point of on-prem networking is to retain control over core functions, especially security, identity, authentication, and access control.

For many organizations with infrastructure built around on-premises Active Directory, handing priority of these core functions to an external platform such as Entra ID is a dealbreaker.

While Microsoft’s tools can ease integration between on-prem and its SaaS services, they come with pros and cons of their own in terms of additional infrastructure and expense.

AD FS is designed for on-prem networks but can be complex and expensive to manage. There are also technical limitations, especially when it comes to implementing Microsoft 365 MFA.

• AD FS allows organizations to continue using their on-premises AD identities while federating and synchronizing with Entra ID and Microsoft 365 through a single SSO credential.

• AD FS’s advantage is that it is an on-prem tool, which means that it integrates well with an organization’s existing on-prem AD.

• Unfortunately, there's a reason why AD FS has a reputation for being complex and clunky to manage. It’s difficult to troubleshoot when problems occur.

• In terms of authentication, it is also limited because its preferred service, Azure MFA Server, has been deprecated.

Microsoft Entra Connect is built around the needs of cloud-based applications, which brings complexities of its own.

• Microsoft Entra Connect packages AD FS with more advanced tools including Entra Connect Sync for user, passwords, and group synchronization with Entra ID.

• Although included as part of Entra ID subscriptions, Microsoft Entra Connect can also be complex to administer. It’s not simple to set up and manage synchronization between the on-premises AD and cloud Entra ID directories.

• To ensure that access to the network remains as seamless and secure as possible, admins can deploy a simple single sign-on (SSO) password credential secured by MFA.

For this to work, synchronization and identity management between the two domains (users, groups, passwords, and conditional monitoring) must work perfectly.

Day to day, this can create significant management overhead. Any failure to get this right every time can result in on-premises or remote users being locked out of Microsoft 365.

Cloud platforms have some clear advantages, but on-prem AD still plays a vital role in many environments. Here's why:

• Support for critical legacy applications that can’t be migrated to the cloud.

• Compliance with regulations that require organizations to retain full control over sensitive data without depending on external providers.

• Control over costs since SaaS platforms can be expensive, and many organizations prefer to get value from their existing on-premises infrastructure.

Many organizations don’t want to be completely locked out of the cloud, so they pursue a hybrid approach that combines the best elements of both worlds.

The difficulty is that this requires IT to build a more complex environment with synchronized internal and external systems.

Hybrid environments are more complex. Prioritizing on-premises control often results in an uneasy compromise between older on-premises systems and newer ones oriented towards the cloud.

Key challenges include:

• Integration: Integrating on-prem with cloud and SaaS can be complex and expensive, requiring additional infrastructure.

• Attack surface: Two networks increase the attack surface, especially where remote users come into the equation as they now often do in SaaS deployments. In an era of zero trust, implementing multi-layered security on access is paramount, especially protections such as MFA.

• Credential sprawl: Inevitably, SaaS means more logins. More logins equal more credentials, which negatively affects the user experience. To avoid this, integration needs to consider how to implement single sign-on (SSO).

Security teams want to keep things as simple as possible. More often than not, this means IT wants to (or needs to) manage as much as possible within their network.

But the additional complexity of SaaS seems to work against this.

Too often, adding hybrid access security to on-prem networks means putting up with extra complexity and expense.

That’s because the IAM industry has moved on to the cloud, leaving on-premise and hybrid networks to solve the problem of integration and security on their own.

UserLock brings a clear advantage to on-premises and hybrid environments that need to implement MFA for Microsoft 365: the ability to keep things simple.

That's because UserLock is designed around the principle that on-premises networks should retain as much control as possible. This allows IT to retain the centralization and control that is so important in on-premise environments.

Through UserLock, organizations can continue to use existing on-premises AD identity while securely integrating access to Microsoft 365 and other SaaS applications.

UserLock combines single sign-on (SSO) with MFA and access controls to simplify hybrid AD access security. There's no need for complex middleware riddled with hidden compromises.

Read more: How SAML works with Active Directory

Since UserLock SSO is hosted on-premises, IT can retain Active Directory as the authoritative Identity Provider (IdP). For secure access to Microsoft 365, the end user authenticates with their existing on-premise credentials.

Depending on if the admin has set up MFA for Microsoft 365 access, and under what conditions, the end users may also receive an MFA prompt.

Read more: UserLock and Microsoft 365 in on-premises Active Directory

UserLock SSO can also be hosted on a virtual network and use Entre ID as the authoritative identity provider. For access to SaaS applications, the user is authenticated with their Entra ID credentials. Users may also receive a prompt for MFA, depending on the conditions that IT has set.

Read more: UserLock and Microsoft 365 with Microsoft Entra ID Domain Services