ADFS 2019 multiple mfa provider selection on RP

Laurent Pierre 26 Reputation points

Hi Microsoft community
Would we be able with ADFS 2019 to select in claim rules (at relying party level) the preferred MFA if you have multiple providers registered.
Is this really possible and how ?
The idea would be to use a claim rule like this
Set-AdfsRelyingPartyTrust -TargetName test –AdditionalAuthenticationRules 'exists([Type == "", Value == "S-1-5-21-2462332226-1795882094-2017209951-xxxxx"]) =>issue(Type = "", Value = "") && (Type = "", Value = "mfaprovider");
here we would select the mfa provider based on a group
I also understood this was stated here
in "Specify auth method for additional auth per RP" section
Any input would be appreciated, thx

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,215 questions
0 comments No comments
{count} votes

Accepted answer
  1. Pierre Audonnet - MSFT 10,166 Reputation points Microsoft Employee

    Yes you can select what would be the MFA provider available for the user using conditions.

    If you enforce MFA on a relying party, the user is normally prompted to pick one method. If you want to force the user to use one method over another, it is possible starting ADFS on Windows Server 2019.

    Here are some example (using the ClaimXRay application)...

    Example 1 - Force the selection of the CertificateAuthentication MFA provider for all users on a relying party trust.

    Set-AdfsRelyingPartyTrust -TargetName ClaimsXray -AdditionalAuthenticationRules 'c:[] =>issue(Type = "", Value = "");c:[] => issue(Type = "", Value = "CertificateAuthentication");'

    Example 2 - Force the selection of the CertificateAuthentication MFA provider for users member of a group (represented here by its SID) the other user will have the choice with all MFA providers.

    Set-AdfsRelyingPartyTrust -TargetName ClaimsXray -AdditionalAuthenticationRules 'c:[] =>issue(Type = "", Value = "");c:[Type == "", Value == "S-1-5-21-608905689-872870963-3921916988-12345"] => issue(Type = "", Value = "CertificateAuthentication");'

    You get the gist of it I guess. If not, post here your requirement and we'll help you out with the rules.

    Note that you will have to use the "legacy" authorization rules. AFAIK, you cannot use the "Access Control Policies". To disable it on a relying party, you can run the following:

    Set-AdfsRelyingPartyTrust -TargetName ClaimsXray -AccessControlPolicyName:$null
    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful