Satisfy Microsoft Entra ID multifactor authentication (MFA) controls with MFA claims from a federated IdP
Article
This document outlines the assertions Microsoft Entra ID requires from a federated identity provider (IdP) to honor configured federatedIdpMfaBehaviour values of acceptIfMfaDoneByFederatedIdp and enforceMfaByFederatedIdp for Security Assertions Markup Language (SAML) and WS-Fed federation.
Tip
Configuring Microsoft Entra ID with a federated IdP is optional. Microsoft Entra recommends authentication methods available in Microsoft Entra ID.
Microsoft Entra ID includes support for authentication methods previously only available via a federated IdP such as certificate/smartcards with Entra Certificate Based Authentication
When an admin optionally configures their Microsoft Entra ID tenant to use a federated IdP using WS-Fed federation, Microsoft Entra redirects to IdP for authentication and expect a response in the form of a Request Security Token Response (RSTR) containing a SAML 1.1 assertion. If configured to do so, Microsoft Entra honors MFA done by the IdP if one of the following two claims is present:
Using sign-in frequency and session control Conditional Access policies with WS-Fed or SAML 1.1
Sign-in frequency uses UserAuthenticationInstant (SAML assertion http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant), which is AuthInstant of first factor authentication using password for SAML1.1/WS-Fed.
Using SAML 2.0 federated IdP
When an admin optionally configures their Microsoft Entra ID tenant to use a federated IdP using SAMLP/SAML 2.0 federation, Microsoft Entra will redirect to the IdP for authentication, and expect a response that contains a SAML 2.0 assertion. The inbound MFA assertions must be present in the AuthnContext element of the AuthnStatement.
As a result, for inbound MFA assertions to be processed by Microsoft Entra, they must be present in the AuthnContext element of the AuthnStatement. Only one method can be presented in this manner.
Using sign-in frequency and session control Conditional Access policies with SAML 2.0
Sign-in frequency uses AuthInstant of either MFA or First Factor auth provided in the AuthnStatement. Any assertions shared in the AttributeReference section of the payload are ignored, including http://schemas.microsoft.com/ws/2017/04/identity/claims/multifactorauthenticationinstant.