Configuring ADFS to work with Azure MFA for a few select services only ?

Question

Hi Everyone,

I have already configure AzureAD synch to synchronize OnPremise AD to Azure.

I need to enforce the Azure MFA with the existing OnPremise ADFS 4.0 running on my Windows Server 2016.

Can anyone here please share some steps and procedures, what would be the consequence if I enable the below setting?

Does all services configured under the Relying Party Trust will be impacted or enforced with 2FA/MFA?

Like in the above screenshot?

How can I check if I need additional steps to configure the Azure AD Tenant?

Thank you in advance.

Answer 1

Hi @EnterpriseArchitect · Thank you for reaching out.

If you have already performed below steps, you don't need to perform any further steps.

$certbase64 = New-AdfsAzureMfaTenantCertificate -TenantID yourtenant.onmicrosoft.com  
Connect-MsolService  
New-MsolServicePrincipalCredential -AppPrincipalId 981f26a1-7f43-403b-a875-f8b09b8cd720 -Type asymmetric -Usage verify -Value $certBase64  
Set-AdfsAzureMfaTenant -TenantId yourtenant.onmicrosoft.com -ClientId 981f26a1-7f43-403b-a875-f8b09b8cd720  
Restart-Service adfssrv  

Selecting below checkbox will NOT enforce MFA on any of the Relying Parties configured on ADFS, until the relying parties are configured to require MFA.

To require MFA for specific Relying Party, you need to:
Right click on the Relying Party > Edit Access Control Policy > Select one of the policies with "require MFA" condition > Apply.

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.