Azure MFA for ADFS authentication

Question

Hello!
Our ADFS is federated with Azure AD.
We want to activate Azure MFA for some critical apps on-prem (registered on ADFS only).
I followed this guide https://learn.microsoft.com/fr-fr/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa
and have the Azure mfa like auth method.
But can I activate the mfa methods just for some application?

Thanks!

Answer 1

Yes (ou plutôt Oui puisque tu as mis le lien en Français)

The procedure you linked is to add Azure MFA as an MFA provider. When you add an MFA Provider it is not used until you configure an application to use it. So it is not affecting anything on your ADFS farm.

Once you have configured the MFA provider, you can enable it:

And then you can use the Access Control Policy to decide which applications (relying party trusts) will need it and under what conditions:

To require MFA for all users on one app and all the time (regardless of group membership or where the users is connected from), you can use the "Permit everyone and require MFA" policy. On the Relying Party Trusts section of the console, right click on your app and click "Edit Access Control Policy". Then select the policy you need:

The applications you don't change will not be affected.

Let us know how it goes and if you need help if you wanted to creat special conditions to trigger MFA (such as group membership etc...).

Answer 2

Bonjour,
merci pour le retour.
Mais quand j'essaie d'appliquer tout cela, j'ai cette erreur:

Exception details:
System.Exception: Exception calling SAS. ---> System.AggregateException: One or more errors occurred. --->
......(Azure Multi-Factor Auth Client) is disabled.

Une idée?

Answer 3

thanks for the reply!
We check the configuration but are not able to find the problem.
So we opened a ticket with Microsoft support.