Hi @Vadim Kh ,
Thanks for reaching out.
I understand you are trying to setup conditional MFA setup for users, with the option to skip MFA based on custom attribute.
You first need to create a custom attribute for users that indicates whether they are allowed to skip MFA setup.
Add claims transformation to check the user's custom attribute.
<ClaimsTransformation Id="CheckMFAAllowance" TransformationMethod="CompareClaimValue">
<InputClaims>
<InputClaim ClaimTypeReferenceId="extension_MFAAllowance" TransformationClaimType="inputClaim" />
</InputClaims>
<InputParameters>
<InputParameter Id="compareTo" DataType="string" Value="allow" />
</InputParameters>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="extension_MFAAllowed" TransformationClaimType="outputClaim" />
</OutputClaims>
</ClaimsTransformation>
If the attribute value is set to "allow", the policy should skip the MFA setup page and allow the user to sign in without MFA. If the attribute value is not set to "allow", the policy should require the user to complete MFA setup before allowing sign-in.
Based on this custom attribute value, you can you precondition step in your user journey to skip the MFA step.
<Preconditions>
<Precondition Type="ClaimsExist" ExecuteActionsIf="true">
<Value>extension_MFAAllowed</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="SelfAsserted-Select-MFA-Method" TechnicalProfileReferenceId="SelfAsserted-Select-MFA-Method" />
</ClaimsExchanges>
</OrchestrationStep>
Hope this will help.
Thanks,
Shweta
Please remember to "Accept Answer" if answer helped you.