This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 68%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECJ%3C/text%3E%3C/svg%3E)
I have configured our ADFS servers to utilize Azure MFA Service Authentication Module as an Additional Authentication Provider. We are looking to MFA enable additional in-house web apps.
https://dirteam.com/sander/2019/12/12/howto-enable-azure-multi-factor-authentication-on-ad-fs/
This works great and as expected IF your local user account's UPN matches their account's UPN in our Azure tenant. Unfortunately, we have a non-routable internal domain name and cannot use a UPN suffix to correct due to another LOB application the organization uses. We have modified our AD Connect sync rules to create tenant account's using their mail attribute while we move toward a domain name change project (could take awhile). Until then, we've made concessions and workarounds. An example being the NPS Extension that allows us to use MFA for our RDS environment. That extension has local registry entries that allow us to customize what local user's AD field gets sent as the user's name back to Azure and their Azure MFA works great.
I am unable to find similar configurations for the ADFS authentication method. I am hoping this is simply due to a lack of knowledge versus a direct inability to configure.
I am not aware of a registry trick for the provider. However, it should work with alternate logon ID. I am not sure if the provider works with non routable UPN as I never got to try that. But it is worth a try. https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configuring-alternate-login-id
Thank you, I have plans on that anyway to make transitions easier as we do migrate our logins; however, I have not yet put that in place. I'll work on that and post back one way or another.
Configuring Alternate ID on the ADFS server proved successful. Users can now login using either their email address or Domain Name format. When using their email address and when Access Control Policies require MFA, the email address is sent to Azure as the user name which properly finds the account and prompt's the user's authenticator device.