This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 28.999999999999996%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
On our ADFS 2016 farm we have a global additional authentication rule which I would like to change to an RPT-specific access control rule to have more flexibility.
The current additional authentication rule is:
exists([Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"])
&& NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip", Value =~ "\b123.45.67.89\b"])
=> issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");
Additionally, I would like to add an AD group as an exclusion in this rule, lets call it: "no_mfa".
Is it possible to add all this in an access control rule, and if so, can you give me an example? I tested several options, and it seems that none of them work in the same way as the additional authentication rule.
This smells like an attempt to to by-pass on-premises MFA for Azure AD workload (such as Office 365). If so, bad idea. You'd better use Azure AD Conditional Access Policy to trigger MFA.
If that's not about that at all, let us know and we can dig into a technical solution.
Also, note that you can still use the "old" way to set Additional Authentication Rules in ADFS on Windows Server 2016. You will need to set the policy to null:
Set-AdfsRelyingPartyTrust -TargetName <Name of the Relaying Party Trust> -AccessControlPolicyName $null
And then modify the authorization rules from the ADFS console (when you set the policy to null and click on Edit Access Control Policy, it brings you the old Issuance Authorization Rules tab) and the additional authorization rules with PowerShell.
Yes, we still have an Azure on-prem MFA server instead of Azure cloud MFA.
Would you still recommend to switch over? I found this blog going into more detail regarding the switch to conditional access rules for MFA: https://purple.telstra.com.au/blog/using-adfs-on-premises-mfa-with-azure-ad-conditional-access
Does this cover the steps we would need to perform?
There are currently no upgrade path between Azure MFA Server and Azure MFA (cloud). The user will have to re-register for MFA.
There is an active item to request a migration script or something here, you can vote for it.
What you can do in the meantime, and if you wish to stay with the Azure MFA Server, is configure Azure AD to redirect to your ADFS for MFA (this is done by setting the -SupportMFA parameter to $true on your federation settings). So you can still use Conditional Access Policies, and when a user needs to be prompted for MFA, it will be redirect to ADFS and be prompted there.