This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 64%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELP%3C/text%3E%3C/svg%3E)
Hi Microsoft community
Would we be able with ADFS 2019 to select in claim rules (at relying party level) the preferred MFA if you have multiple providers registered.
Is this really possible and how ?
The idea would be to use a claim rule like this
Set-AdfsRelyingPartyTrust -TargetName test –AdditionalAuthenticationRules 'exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-21-2462332226-1795882094-2017209951-xxxxx"]) =>issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn") && (Type = "http://schemas.microsoft.com/claims/authnmethodsproviders", Value = "mfaprovider");
here we would select the mfa provider based on a group
I also understood this was stated here
https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/overview/whats-new-active-directory-federation-services-windows-server
in "Specify auth method for additional auth per RP" section
Any input would be appreciated, thx
Yes you can select what would be the MFA provider available for the user using conditions.
If you enforce MFA on a relying party, the user is normally prompted to pick one method. If you want to force the user to use one method over another, it is possible starting ADFS on Windows Server 2019.
Here are some example (using the ClaimXRay application)...
Example 1 - Force the selection of the CertificateAuthentication MFA provider for all users on a relying party trust.
Set-AdfsRelyingPartyTrust -TargetName ClaimsXray -AdditionalAuthenticationRules 'c:[] =>issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");c:[] => issue(Type = "http://schemas.microsoft.com/claims/authnmethodsproviders", Value = "CertificateAuthentication");'
Example 2 - Force the selection of the CertificateAuthentication MFA provider for users member of a group (represented here by its SID) the other user will have the choice with all MFA providers.
Set-AdfsRelyingPartyTrust -TargetName ClaimsXray -AdditionalAuthenticationRules 'c:[] =>issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-21-608905689-872870963-3921916988-12345"] => issue(Type = "http://schemas.microsoft.com/claims/authnmethodsproviders", Value = "CertificateAuthentication");'
You get the gist of it I guess. If not, post here your requirement and we'll help you out with the rules.
Note that you will have to use the "legacy" authorization rules. AFAIK, you cannot use the "Access Control Policies". To disable it on a relying party, you can run the following:
Set-AdfsRelyingPartyTrust -TargetName ClaimsXray -AccessControlPolicyName:$null
Brilliant merci Pierre ! Tested, working like a charm I also found another article if it can help someone https://sysfc.uk/2020/03/14/adfs-associating-multiple-mfa-providers-to-active-directory-groups-groups/
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 54%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
Thanks for posting this. We are a large not-for-profit Health Care system and we are struggling with the following scenarios. We want to send MFA to Okta if you are a member of an AD group, the membership of which indicates that you are enrolled in Okta, but send to on-prem MS MFA if you are not in the group. Consistently it is providing a choice to the user. This is ADFS 2019, SQL based. Any help you could provide would be awesome
Hi Pierre, I've implemented example 2, but the user is still prompted for all methods. Are there additional things that need to be done?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 16%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERJ%3C/text%3E%3C/svg%3E)
Hi Pierre,
In our environment we need to offer two different MFA providers for employees (Thales) and students (Azure MFA). The selection based on groupmembership is working, but we ran into an issue with Azure MFA for students.
When students does not have a method enrolled in Azure, they need to ProofUp using the https://aka.ms/mfasetup page. But students needs to sign-in to this page, student is being redirected to ADFS and MFA is being forced by AdditionalAuthenticationRules. Is it possible to exclude proofup page from MFA?
If Azure is being used to enforce MFA (Conditional Access Policies), the page is being excluded from MFA. So it seems to possible?
@Robbert-Jan van Nugteren Please open a separate thread as this one is marked as answered and doesn't get any more love :)