Configuring ADFS to work with Azure MFA for a few select services only ?

EnterpriseArchitect 5,376 Reputation points
2021-06-10T07:27:09.627+00:00

Hi Everyone,

I have already configure AzureAD synch to synchronize OnPremise AD to Azure.

I need to enforce the Azure MFA with the existing OnPremise ADFS 4.0 running on my Windows Server 2016.

Can anyone here please share some steps and procedures, what would be the consequence if I enable the below setting?

Does all services configured under the Relying Party Trust will be impacted or enforced with 2FA/MFA?

104132-image.png

Like in the above screenshot?

104100-image.png

How can I check if I need additional steps to configure the Azure AD Tenant?

Thank you in advance.

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,259 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,735 questions
0 comments No comments
{count} votes

Accepted answer
  1. AmanpreetSingh-MSFT 56,601 Reputation points
    2021-06-10T08:53:14.07+00:00

    Hi @EnterpriseArchitect · Thank you for reaching out.

    If you have already performed below steps, you don't need to perform any further steps.

    $certbase64 = New-AdfsAzureMfaTenantCertificate -TenantID yourtenant.onmicrosoft.com  
    Connect-MsolService  
    New-MsolServicePrincipalCredential -AppPrincipalId 981f26a1-7f43-403b-a875-f8b09b8cd720 -Type asymmetric -Usage verify -Value $certBase64  
    Set-AdfsAzureMfaTenant -TenantId yourtenant.onmicrosoft.com -ClientId 981f26a1-7f43-403b-a875-f8b09b8cd720  
    Restart-Service adfssrv  
    

    Selecting below checkbox will NOT enforce MFA on any of the Relying Parties configured on ADFS, until the relying parties are configured to require MFA.
    104158-image.png

    To require MFA for specific Relying Party, you need to:
    Right click on the Relying Party > Edit Access Control Policy > Select one of the policies with "require MFA" condition > Apply.

    104191-image.png

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.