Share via

How can I create a step-up authentication with Conditional Access MFA

Kornkanok 20 Reputation points
2024-08-13T12:11:44.0533333+00:00

I have a problem with authentication context. I mean after my guest login with no MFA and I want guest to do some strong authentication like.. MFA before they go to sensitive action or risky task. but I have no idea about how to trigger an MFA api. I have tried to use {amr_values = 'mfa'} but its return error parameter aren't support.
//I used Next 14

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Authenticator
Microsoft Security | Microsoft Graph
0 comments
Accepted answer
  1. Raja Pothuraju 23,465 Reputation points Microsoft External Staff Moderator
    2024-08-16T12:04:37.99+00:00

    Hello @Kornkanok,

    Thank you for posting your query on Microsoft Q&A.

    Based on your statement, I understand that you want to implement MFA for guest users when they perform sensitive actions or tasks within your application, but you don’t want them to be prompted for MFA when accessing the application's home page. Please correct me if I’m mistaken. It seems you have already tried passing the amr_values=mfa request parameter, but encountered the error "AADSTS901002: The 'amr_values' request parameter is not supported." If I’m correct, your application might be using the OAuth protocol.

    Your goal is to allow guest users to authenticate to your application without MFA initially, and then prompt them for MFA only when they try to access sensitive resources. Once they complete the MFA process, they should be able to access those resources.

    However, this approach may not provide the highest level of security for your application. Microsoft strongly recommends enabling MFA for all login sessions. To enforce MFA for your application, you can refer to the following document to create a Conditional Access policy that requires multi-factor authentication:

    https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-policy-guest-mfa#create-a-conditional-access-policy

    That said, if you specifically want to require MFA only for sensitive actions within your application, using the amr_values=mfa parameter. However, this parameter is not supported for OAuth v2.0 endpoints, which is why you received the error message. This functionality is supported for OAuth v1.0 endpoints, which I confirmed by testing in my tenant.

    Please try using the following endpoint in your request: https://login.microsoftonline.com/<tenantID>/oauth2/token

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". Thanks,
    Raja Pothuraju.

    2 people found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.