configuring ADFS for MFA windonws 2019

vamshi krishna 1 Reputation point
2021-03-15T10:06:05.06+00:00

Hi Team,

I was trying configure MFA per-relying party trust that is based on a user's group membership data

$MfaClaimRule = "c:[Type == '"https://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid'", Value =~ '"^(?i) <group_SID>$'"] => issue(Type = '"https://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod'", Value '"https://schemas.microsoft.com/claims/multipleauthn'");"

above command is not working. 77774-mfa.jpg

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,449 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Geoff 6 Reputation points
    2021-03-29T16:37:55.983+00:00

    @JamesTran-MSFT He is following acticle https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-authentication-policies
    Look under "To configure MFA per-relying party trust that is based on a user's group membership data", if you copy and paste the code there is a formatting issue.

    0 comments
  2. Geoff 6 Reputation points
    2021-03-29T19:54:10.983+00:00

    Here is the proper format that should work for you

    $MfaClaimRule = 'c:[Type == "https://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-21-2526025855-2090947552-105674"] => issue(Type = "https://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "https://schemas.microsoft.com/claims/multipleauthn");'

    Set-AdfsAdditionalAuthenticationRule $MfaClaimRule

    0 comments