This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 16%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGF%3C/text%3E%3C/svg%3E)
Hello,
I'm trying to use a 3rd party MFA for an Azure AD tenant that is federated with an on premise AD / ADFS.
This 3rd party is configured as a Claims Provider Trust in ADFS.
The auth flow is:
Azure AD -> ADFS -> 3rd party MFA
The authentication on the 3rd party is successfully executed and then the control is returned to ADFS that should redirect the end user to Azure AD but this process fails with the following error:
Error details: POLICY0018: Query 'samAccountName={0};userPrincipalName;{1}' to attribute store 'Active Directory' failed: 'POLICY3826: User name 'john.smith' in LDAP query 'samAccountName=john.smith;userPrincipalName;john.smith' is not in the required 'domain\user' format. POLICY3824: The LDAP query to the Active Directory attribute store must have three parts separated by semicolons. The first part is the LDAP query filter, the second part is a comma-separated list of LDAP attribute names, and the third part is the user name in 'domain\user' format.'.
The affected policy seems to be "Issue UPN" Claim Issuance Policy in "Microsoft Office 365 Identity Platform Worldwide" Relying Party
Three Claims rules are defined in the 3rd party Claim Provider:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"]
=> issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"), query = "(&(!userAccountControl:1.2.840.113556.1.4.803:=2)(objectCategory=person)(objectClass=user)(userPrincipalName={0}));sAMAccountName;contoso\random", param = c.Value);
Any thoughts ?
Thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 32%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJR%3C/text%3E%3C/svg%3E)
Thanks and could you please try this query and let us know if this will not work.
@RuleName = "Query By AD"
c:[Type == "http://schemas.company.com/ws/2013/09/identity/claims/adobjectbinaryguidstring"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"), query = "objectGuid={0};userPrincipalName,sAMAccountName;SERVER-DEV\SRV_ADFS", param = c.Value);
Azure AD -> ADFS -> 3rd party MFA
Don't you mean:
Azure AD -> ADFS -> 3rd party IDP/Claim Provider (which happened to also provide you MFA)
It makes a huge difference when it comes to call the LDAP provider to make LDAP queries in AD as when the user is authenticated by another claim provider than AD, default rules from the wizard don't work anymore.
And then, I would also be curious to know why don't you use your MFA provider direclty in ADFS.
Thanks @Pierre Audonnet - MSFT and @Jitendra Rai for your help.
I've resolved my issue creating following two rules:
1 - get samAccountName
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"]
=> add(store = "Active Directory", types = ("temp:claim/sam"), query = "(&(objectCategory=person)(objectClass=user)(userPrincipalName={0}));samaccountname;contoso\random", param = c.Value);
2 - Issue Windows Account Name
c:[Type == "temp:claim/sam"]
=> issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Value = "contoso\" + c.Value);
@Pierre Audonnet - MSFT , yes, you're right. I'm sorry if I haven't been very clear.
Not sure I understand your question about why I don't use my MFA provider direclty in ADFS.
The big picture is that I would like to grant access to Azure portal or to Office 365 through this 3rd party MFA / IdP ( biometrical recognizition) but Azure AD doesn't support this 3rd party . This is why I'm using ADFS. Have I answered to your question ?
My question is why not using your MFA provider directly in ADFS? ADFS supports multiple vendors for MFA provider: https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs
If you were doing MFA directly in ADFS, you wouldn't have to cusmtize the claim rules at all. And it would also simplify the architecture.
Thanks @Pierre Audonnet - MSFT but the MFA provider that I'm using is not yet there.