Integrating Microsoft Entra MFA with On-Premises AD FS and Third-Party Authenticators

Question

Integrating Microsoft Entra MFA with On-Premises AD FS and Third-Party Authenticators

Chamara Sandaruwan 0

Hello All,

I am writing to inquire about the feasibility of integrating Microsoft Entra Multi-Factor Authentication (MFA) with our on-premises Active Directory Federation Services (AD FS) environment.

Specific Questions:

Compatibility: Is the ForgeRock Authenticator app compatible with Microsoft Entra MFA to get push notifications? If not, are there any recommended third-party authenticator apps that can be used with Microsoft Entra MFA?
Implementation Steps: Could you provide a detailed step-by-step guide on configuring AD FS and Microsoft Entra ID MFA to enable 2nd-factor authentication?

1 answer

Your answer

Answer 1

FrankEscarosBuechsel-MSFT 900 Microsoft Employee Moderator

Hi @Chamara Sandaruwan • Thank you for reaching out.

It seems you want to integrate Microsoft Entra MFA with ADFS in a greenfield configuration, meaning you have not started the implementation and configuration yet and are not using the deprecated Azure Multi-Factor Authentication Server already?

Please find the answers to your specific questions below.

Compatibility for third party authenticator applications for push notifications.

At the moment only the Microsoft Authenticator app will be able to receive push notifications when configuring Authenticator applications in the Authentication Methods. You do have the possibility to add third party authenticator applications like ForgeRock Authenticator via the OATH software token protocol, however this use case is limited to time based one time password displays rather than push notifications. Some more details for this can be found in the following Learn article: Authentication methods in Microsoft Entra ID - OATH tokens. Please note that any examples for Authenticator app in our documentation usually specifically refers to the Microsoft Authenticator app.

Implementation steps for setting up Entra MFA with on-premises ADFS.

You can find a detailed step-by-step guide for the setup instructions in the following Learn article: Securing cloud resources with Microsoft Entra multifactor authentication and AD FS

On a high level the procedure includes the following steps with full details available in the linked Learn article above:

Edit claim rules on AD FS to include the multipleauthn claim
Optionally configure claim rules for trusted IPs on AD FS
Optionally configure Conditional Access policies for trusted IPs in Entra

Please note that Conditional Access is a paid licensing feature which requires a minimum of a P1 Entra license, more details around the licensing requirement can be found in the following Learn article: Microsoft Entra licensing

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Chamara Bandara 0 Reputation points

2024-11-22T06:15:59.98+00:00

Thank you, Frank. You clearly understood the question and provided an excellent solution. We will proceed with testing this implementation in the development environment. If further support is needed, I’ll add that as a comment.
Thank you again for your outstanding work!
FrankEscarosBuechsel-MSFT 900 Reputation points Microsoft Employee Moderator

2024-11-22T18:45:10.7766667+00:00

@Chamara Bandara Hope this helps. Do let us know if you any further queries. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Chamara Bandara 0 Reputation points

2024-11-27T08:53:31.2966667+00:00

Hi Frank, we began the implementation using this document, but we encountered an issue when executing the third step(Step 3: Set the certificate as the new credential against the Azure multifactor authentication Client). https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa

Is there an alternative document to guide us? This one is quite compromised, difficult to understand, and some steps are missing.

If we can complete the above-documented steps, I think we can resolve our problem.
FrankEscarosBuechsel-MSFT 900 Reputation points Microsoft Employee Moderator

2024-11-28T14:18:18.8266667+00:00

@Chamara Bandara Can you please elaborate a bit more on where the struggle is by following the "Set the certificate as the new credential against the Azure multifactor authentication Client", are you receiving error messages somewhere in that process, can you not find specific IDs from the PowerShell command you need to run etc?

Based on that I can see if I can find some easier to digest information or break down the steps a bit more with screenshots that may be easier to follow than that article for you.
FrankEscarosBuechsel-MSFT 900 Reputation points Microsoft Employee Moderator

2024-12-02T17:30:36.78+00:00

Hi @Chamara Bandara,

I followed the instructions from Configure Microsoft Entra multifactor authentication as authentication provider using AD FS which you referenced above in one of our lab setups today.

Please correct me if I am wrong, but this should be the same state your deployment is in right now, a yellow banner outlining that MFA is only available once tenant configuration is performed with Azure MFA only visible on the "Additional" tab.

Your goal being that you want Azure MFA available to select on the "Primary" tab for the authentication methods.

Step 1 was then ran in PowerShell as follows.

The ID for this was copy and pasted using the marked button from the Entra ID overview blade as per the below screenshot.

Within the same PowerShell session (this is important as the defined variable $certbase64 gets used in this command) I then ran the command from step 3 as a pure copy and paste, without having to adjust anything, the only customization step necessary was in step 1. The appid mentioned in the command can be left as is, it is the correct one.

The last step then requires the same ID from step 1 again.

After the rest of the steps and a services restart Azure MFA did then show up on the primary tab as expected.

Since this does not seem to be the same in your case I would be interested in what output step 1 and 2 produce for you to see how we can continue troubleshooting and resolving this issue for you.
FrankEscarosBuechsel-MSFT 900 Reputation points Microsoft Employee Moderator

2024-12-04T15:42:13.3866667+00:00

Hi @Chamara Bandara,

Just checking in to see if you had a chance to see above steps and questions.
FrankEscarosBuechsel-MSFT 900 Reputation points Microsoft Employee Moderator

2024-12-06T13:58:42.19+00:00

Hi @Chamara Bandara,

Just checking in to see if you had a chance to see above steps and questions.
Chamara Sandaruwan 0 Reputation points

2024-12-12T08:52:54.0433333+00:00

Hi @FrankEscarosBuechsel-MSFT,

Thank you very much for following up on our issues and for the information you provided. As you mentioned, we have completed all the steps, but we are now encountering this issue. Do you have any suggestions on how to troubleshoot it?

⚠️ Important:

Currently, our ADFS is not connected to Microsoft Entra ID (e.g., no relying party trust or Azure Entra Connect integration).

Other than the provided guide, we didn’t make any additional configurations in Microsoft Entra.

Looking forward to your guidance.
Chamara Sandaruwan 0 Reputation points

2024-12-12T08:55:33.87+00:00

Looking forward to your guidance.
FrankEscarosBuechsel-MSFT 900 Reputation points Microsoft Employee Moderator

2024-12-12T11:23:17.52+00:00
Hi @Chamara Sandaruwan,

Just to recap what you have done so far, you could successfully complete all the 3 steps from the article, you have ticked the Azure MFA option in your Authentication methods but now you are getting login errors when trying to utilize the functionality?

Can you please provide some more details as to what AWS MFA Access is, is that a published Enterprise App in your tenant or something else?

The error message itself is usually displayed when either a policy like conditional access is requiring further factors or the user requires MFA setup in the first place. I have a couple more questions for you:

What was the additional factor which you configured for the user?

There is 2 links in the message you are receiving, are other options for sign-in displayed and do they work?

What are the exact error details being shown when that link is selected?

Have you reviewed the Sign-In logs for the tenant in Entra, they should include some further details, can you maybe share the Sign-in log for the failed Sign-in?

If you log into the Entra portal, navigate to Identity -> Monitoring & Health -> Sign-In logs and then you can filter for the Request ID that you get from the error details.

Selecting the corresponding Request ID will open the details pane which gives you access to troubleshooting information.

Both the Authentication Details tab as well as the Launch Sign-In Diagnostics link can help us further drill down into why the authentication attempt is failing.
Chamara Sandaruwan 0 Reputation points

2024-12-15T05:52:56.7266667+00:00

Hi FrankEscarosBuechsel-MSFT,

Thank you for your message and the detailed questions. Let me provide more context regarding our setup and the issues we are encountering:

Error Message:

actually, we use AWS relying party to test this MFA option which is why we used "AWS MFA Access" name.

Additional Authentication:

As the additional authentication method, we selected the Azure MFA option. Additionally, we configured the Access Control policy for our relying party to “Permit Everyone and Require MFA.”

AD User Synchronization:

Currently, our Active Directory (AD) users are not synchronized with the Azure portal. For example, in AD, we have a user named TestUser01, but this user does not exist in the Azure portal.

Do we need to sync AD users with Azure for this functionality to work correctly?

Sign-In Log Details:

We have checked the Sign-In logs on the Azure side but did not find any entries related to TestUser01 or the failed login attempt.

If there is any further information or specific steps you would recommend, please let us know.

Thank you for your assistance!

Best regards,

Chamara Sandaruwan
FrankEscarosBuechsel-MSFT 900 Reputation points Microsoft Employee Moderator

2024-12-16T16:55:34.7333333+00:00

Hi @Chamara Sandaruwan,

There should be some errors in the ADFS server event logs for this, most commonly for either connectivity or certificate issues.

Can you please confirm if you already followed these steps to federate your Entra Directory with your ADFS configuration? AD FS configuration prerequisites?

I have also sent you a private message with some next steps to try that will contain data which is not meant to be shared in public screenshots.
FrankEscarosBuechsel-MSFT 900 Reputation points Microsoft Employee Moderator

2024-12-18T10:57:25.4466667+00:00

Hi @Chamara Sandaruwan

Just following up to see if you had a chance to review the above questions?
FrankEscarosBuechsel-MSFT 900 Reputation points Microsoft Employee Moderator

2024-12-20T11:06:31.68+00:00

Hi @Chamara Sandaruwan

Just following up to see if you had a chance to review the above questions and private message?

Share via

Integrating Microsoft Entra MFA with On-Premises AD FS and Third-Party Authenticators

1 answer

Your answer