ADFS On Premise MFA (Azure) to Azure AD MFA

Ahmad 26 Reputation points
2022-08-25T03:24:12.14+00:00

I am trying to configure a phased approach to migrate Azure MFA Server to Azure AD MFA with Federation using the following document: https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-migrate-mfa-server-to-azure-mfa-with-federation

In that document addresses claim rules one use to MFA a user externally through a specific provider depending on the group they are apart of. So far it seems no matter what I do I can do get MFA to work. The only condition that appears to rule is it determining whether I am internal or external. Any assistance with the Additional Authentication Rule and is there any prerequisites needed for ADFS to even consider those rules?

Set-AdfsRelyingPartyTrust -TargetName AppA -AdditionalAuthenticationRules 'c:[type ==
"https://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", value == "false"] => issue(type =
"https://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", value =
"https://schemas.microsoft.com/claims/multipleauthn" );
c:[Type == "https://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value ==
"YourGroupSID"] => issue(Type = "https://schemas.microsoft.com/claims/authnmethodsproviders",
Value = "AzureMfaAuthentication");
not exists([Type == "https://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
Value=="YourGroupSid"]) => issue(Type =
"https://schemas.microsoft.com/claims/authnmethodsproviders", Value =
"AzureMfaServerAuthentication");'

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,259 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,716 questions
0 comments No comments
{count} votes

Accepted answer
  1. Pierre Audonnet - MSFT 10,181 Reputation points Microsoft Employee
    2022-08-25T15:23:40.393+00:00

    The first part is the MFA trigger:

    c:[type ==  
    "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", value == "false"] => issue(type =  
    "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", value =  
    "http://schemas.microsoft.com/claims/multipleauthn" );  
    

    So MFA will be triggered only if the user is connected externally (and through a Web Application Proxy).

    If you want enforce MFA regardless of the user location, you can do this instead:

    Set-AdfsRelyingPartyTrust -TargetName AppA -AdditionalAuthenticationRules 'c:[] => issue(type =  
    "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", value =  
    "http://schemas.microsoft.com/claims/multipleauthn" );  
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value ==  
    "YourGroupSID"] => issue(Type = "http://schemas.microsoft.com/claims/authnmethodsproviders",  
    Value = "AzureMfaAuthentication");  
    not exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",  
    Value=="YourGroupSid"]) => issue(Type =  
    "http://schemas.microsoft.com/claims/authnmethodsproviders", Value =  
    "AzureMfaServerAuthentication");'  
    
    2 people found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.