Share via

Setting up ADFS with Azure MFA

Dan Chandler-Klein 46 Reputation points
2022-09-15T19:01:45.167+00:00

Hello, we are setting up Azure MFA with ADFS. I have implemented a Conditional Access policy to require users to use MFA. However, when users log in they are not prompted to enroll in MFA, but instead it looks like ADFS is passing off to Azure that the user has already passed MFA.

In the Sign in Logs I'm seeing these two messages:
"MFA requirement satisfied by claim in the token"
and
"MFA requirement satisfied by claim provided by external provider"

I am not integrating Azure MFA within ADFS, I'm letting MFA happen all on O365 as I found the sign up process clunky for end users. Is there a way to have the user log in through ADFS and then get prompted for Azure MFA?

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,262 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,789 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. JimmySalian-2011 42,111 Reputation points
    2022-09-15T19:27:09.607+00:00

    Hi @Dan Chandler-Klein ,

    I think you will have to enable the protection security policy and this will setup the MFA authentication requirement via ADFS. Check the process over here and hope this helps.

    best-practices-securing-ad-fs

    241560-image.png

    ==
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments
  2. Dan Chandler-Klein 46 Reputation points
    2022-09-15T20:19:55.72+00:00

    Thanks. From what I'm reading this would prompt all our users for MFA in Azure though, correct? Half our users are on Duo and so we're specifying that only a subset of users get Azure MFA. We don't want the Duo users getting prompted twice

  3. Andy David - MVP 148K Reputation points MVP
    2022-09-16T11:40:51.357+00:00

    How is this configured in ADFS and in the Azure CA Policy?

    Seems to me you would exclude a synced group from on-prem ADFS for MFA, then use that same group in Azure in a CA policy that requires MFA.

    https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/adfs-excluding-a-specific-user-group-from-mfa/ba-p/258813

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.