ADFS On Premise MFA (Azure) to Azure AD MFA

Question

ADFS On Premise MFA (Azure) to Azure AD MFA

Ahmad 21

I am trying to configure a phased approach to migrate Azure MFA Server to Azure AD MFA with Federation using the following document: https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-migrate-mfa-server-to-azure-mfa-with-federation

In that document addresses claim rules one use to MFA a user externally through a specific provider depending on the group they are apart of. So far it seems no matter what I do I can do get MFA to work. The only condition that appears to rule is it determining whether I am internal or external. Any assistance with the Additional Authentication Rule and is there any prerequisites needed for ADFS to even consider those rules?

Set-AdfsRelyingPartyTrust -TargetName AppA -AdditionalAuthenticationRules 'c:[type ==
"https://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", value == "false"] => issue(type =
"https://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", value =
"https://schemas.microsoft.com/claims/multipleauthn" );
c:[Type == "https://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value ==
"YourGroupSID"] => issue(Type = "https://schemas.microsoft.com/claims/authnmethodsproviders",
Value = "AzureMfaAuthentication");
not exists([Type == "https://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
Value=="YourGroupSid"]) => issue(Type =
"https://schemas.microsoft.com/claims/authnmethodsproviders", Value =
"AzureMfaServerAuthentication");'

Answer 1

Pierre Audonnet - MSFT 10,066 Microsoft Employee

The first part is the MFA trigger:

c:[type ==  
"http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", value == "false"] => issue(type =  
"http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", value =  
"http://schemas.microsoft.com/claims/multipleauthn" );

So MFA will be triggered only if the user is connected externally (and through a Web Application Proxy).

If you want enforce MFA regardless of the user location, you can do this instead:

Set-AdfsRelyingPartyTrust -TargetName AppA -AdditionalAuthenticationRules 'c:[] => issue(type =  
"http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", value =  
"http://schemas.microsoft.com/claims/multipleauthn" );  
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value ==  
"YourGroupSID"] => issue(Type = "http://schemas.microsoft.com/claims/authnmethodsproviders",  
Value = "AzureMfaAuthentication");  
not exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",  
Value=="YourGroupSid"]) => issue(Type =  
"http://schemas.microsoft.com/claims/authnmethodsproviders", Value =  
"AzureMfaServerAuthentication");'

Ahmad 21 Reputation points

2022-08-25T16:14:02.33+00:00

Thank you I do have a good understanding of that however the problem I face is it does not work. When I test from outside it says I do not have access while I am apart of the group. It appears to only work inside when I have Issuance Authorization Rules set.
Pierre Audonnet - MSFT 10,066 Reputation points Microsoft Employee

2022-08-25T18:59:24.31+00:00

What are your access rules then? Do you mid sharing the output of Get-ADFSRelyingPartyTrust -identifier <RP ID>?
Ahmad 21 Reputation points

2022-08-27T03:15:36.223+00:00

Please see the code attached, I did play with the IAR (permit all users), permit all users and mfa externally. No matter what I did it seemed like the AAR were never considered.

235442-rp.txt
Pierre Audonnet - MSFT 10,066 Reputation points Microsoft Employee

2022-08-28T02:17:16.723+00:00

Hehe my bad, I copy/paste the wrong stuff... There's no https it is http for the claim types.
I'll update the documentation (I also edited the response above).

Here is the PR for the doc fix: https://github.com/MicrosoftDocs/azure-docs/pull/97659 feel free to comment on it :) And thank you for spotting it!

ADFS On Premise MFA (Azure) to Azure AD MFA

0 additional answers

Activity