Authpoint MFA Configuration for Gateways Offline

I'm working on my disaster recovery plan, and an item that has come up is MFA if our Authpoint Gateways are offline due to a disaster or a long-term internet outage.

Some Questions:
Can Authpoint be configured in a way to handle the gateways offline so M365 apps are assessible? I've looked into this in the past and was told the solution was to rollback federation temporarily or give each user 2 tokens.

I have a user synced from Azure from an external identity for Entra, but it will not authenticate.

Audit Log Detail
Date/Time
2025-08-18 16:16:47
User
TestUserAzure@******.com
IP Address
usa.cloud.watchguard.com
Source
AUTH
Category
SAML
Sub-Category
LDAP
Action
UNAUTHORIZED
Target
AADSaml

Details
Origin IP: x.x.x.x
Reason: MFA did not authorize.
Error: 201.005.001 - MFA did not authorize.
Request Id: 437818fc-3f6c-471c-a9de-7c22011e8f03
Policy Used: Entra_MFA
Location Data Accuracy: Low (distance not available)
Origin Location: Minneapolis, Minnesota, United States

Entra_MFA policy points to test group user is part of. Resource for policy is AADSaml

Any advice would be appreciated!

Answers

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @JAndersonGW6669

    What you need to have set up depends a lot on what you have on-premises. If you're syncing to a local AD server that is synced with Entra, you'll need the gateway to do the LDAP sync.

    If you're using AzureAD with no on-premise component, the gateway is not required to sync, but may be required for an LDAP or RD Gateway.

    See:
    (Sync Users from Entra ID)
    https://www.watchguard.com/help/docs/help-center/en-us/Content/en-US/authpoint/external-identity_azure-ad.html

    If the gateway were to go down and you weren't using it for anything but LDAP sync, existing users should still be able to authenticate to anything that doesn't require the gateway (like IDP portal, anything that uses SAML, Office 365, etc.)

    The specific authentication log you posted seems to have failed because the user didn't push allow when the token was presented. The group would not have played into this because they would have needed to complete authentication before that even came into play.

    If you need help figuring out what you have and how to harden it, I suggest opening a support case via the support center link at the top right of this page. One of our support reps can assist you.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.