This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 1%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
We're wanting to use Azure MFA as a second step authentication method with our 2016 ADFS environment. We have two separate Azure AD/Office 365 tenants, and several other relying party trusts in a single ADFS farm that we wish to use it with. Azure MFA is currently setup and working for Tenant A users with a custom theme that redirects if the user hasn't gone through the "ProofUp" process (based on Microsoft's documentation). It is also setup on the other RPTs to require MFA if the user is a member of a specific on-prem AD group. Tenant B users aren't currently licensed for Azure AD Premium, so we have not been able to do any testing yet.
Any feedback or recommendations would be very much appreciated.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 80%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKM%3C/text%3E%3C/svg%3E)
In 2016 ADFS, you would have registered the ADFS to talk to a specific tenant to do the MFA. In your scenario, this is ADFS is already registered with Tenant A. So, you users in tenant B will not be able to leverage MFA through ADFS.
If you are planning to have Azure AD premium licenses, I would recommend using CA policies and perform the MFA in Azure directly.
Correct, ADFS was configured that way. Is there no way to configure ADFS for multiple tenants? Also, we are using Azure MFA for the non-Azure RPTs in our ADFS environment as well, so would we lose that for them if we did MFA in Azure directly using CA policies?
Just in case, ADFS is no longer required to achieve Single Sign-On with Azure AD workloads (such as Office 365 applications). You can use PTA/PHS with Azure AD Connect seamless Single-Sign On. In case you are using ADFS just for SSO, I thought I would bring it up :)
Doesn't the seamless SSO only work for corporate devices on the corporate network? Most of our users need to access their services remotely. ADFS is also being used as a SAML identity provider for other non-azure services, but we wanted to leverage our current Azure subscriptions for MFA for them as well (otherwise we will have to look at other solutions like Duo, Okta, etc. which are way outside of our current budget). It works for Tenant A, but we're looking for a way for it to work for Tenant B as well. If it only works with one tenant, is there a workflow to merge Tenant B into Tenant A?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 16%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERJ%3C/text%3E%3C/svg%3E)
Is this still a limitation in ADFS 4.0 (Windows Server 2022)?