1,304 questions
Yes. [https://learn.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-saml-protocol#authnrequest
force authentication by Azure AD
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 31%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
testuser7
286
Reputation points
Hello,
In context SAML authentication,
If the Service Provider (SP) requires the user to undergo a fresh authentication, it can send a SAML request with ForceAuthn="true"
The meaning of ForceAuthn="true" is, SP is telling Azure-AD that even though the user is already authenticated in the past and the request has come with PRT/cookie, still Azure-AD must do the fresh authentication again.
So my question is, is this functionality supported by Azure-AD as IDP ??
Thanks.
Microsoft Security Active Directory Federation Services
Microsoft Security Microsoft Entra Microsoft Entra ID
25,081 questions
11 answers
Sort by: Most helpful
-
Mark Morowczynski 251 Reputation points Microsoft Employee2023-01-26T00:43:21.7633333+00:00 -
testuser7 286 Reputation points
2023-01-26T14:16:26.3633333+00:00 Thanks @Mark Morowczynski
I guess we have to take help of ForceAuthn until MS expands the list of apps under the purview of Sign-in-frequency=every-time
Just getting a little greedy, can we force user ONLY to do second-factor authentication ??
-
testuser7 286 Reputation points
2023-01-26T14:17:05.32+00:00 Thanks @Mark Morowczynski
I guess we have to take help of ForceAuthn until MS expands the list of apps under the purview of Sign-in-frequency=every-time
Just getting a little greedy, can we force user ONLY to do second-factor authentication ??
-
Mark Morowczynski 251 Reputation points Microsoft Employee
2023-01-26T14:26:18.29+00:00 I'm going to challenge you to think about this a bit differently. Take a look at the AAL levels, [https://learn.microsoft.com/en-us/azure/active-directory/standards/nist-about-authenticator-assurance-levels. As we as Auth strengths, [https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-strengths. If you think about classifying applications based on required strength to get access, that should be required EACH time.
Right now you are saying to get access to App X the first time would require 2 Factors but getting access the 2nd, 3rd, Nth time you only want to do the "Second Factor" which I'm guessing you mean to be a Non-Password based auth. Would that meet the auth strength requirement you set for the application based on how sensitive/important/risky the app is to the business?
-
testuser7 286 Reputation points
2023-01-26T17:11:07.64+00:00 As I am holistically studying your pointers, I have one important point to hash out.
With the advent of Conditional Access authentication strength (AS) , how does it play out
for eg., I access a resource which is protected by AS1 (can be fulfilled by TAP) and after a few minutes, I access another resource which is protected by AS2 (can be fulfilled by password+SMS )
Now we all know that TAP is stronger than SMS, however, my understanding is, user has to undergo password+SMS
Am I right ?
And secondly, how various authentication strengths (AS) plays out with SIF Earlier only one MFA-instant time was required to be stamped in the PRT or cookie.
But now, will my PRT be stamped with individual, separate instance times for every method that I used to fulfill the authentication strength required by the resource ??
Appreciate your clarification.