Link to home
Start Free TrialLog in
Avatar of K B
K BFlag for United States of America

asked on

ADFS: Step by Step to enable MFA with ADFS

Is there a document that describes this... both for Modern Auth tenants and legacy tenants?

Effectively I would like to know the claim rules to enforce MFA.
Avatar of J S
J S
Flag of United States of America image

Avatar of K B

ASKER

Thank you for your reply.  I am just trying to get the basics up an running.   I thought I had modern auth clients working but that only seems to be true of the Outlook mobile app.

I think the article discusses additional rules.
Avatar of K B

ASKER

I'm actually referring to Office 365 based MFA and not the on-premises Azure Multi-Factor Authentication server
Avatar of K B

ASKER

Yep. Frankly that is pretty much all I did.. I did test a ton of other stuff but the switch for the user's MFA is all that I have currently.
I'm pretty sure O365 MFA is only phone or text. You do not have the options to mess with claim based rules since you have no control over the AD FS policies . I could be wrong though.
Avatar of K B

ASKER

I am trying to enable MFA without involving ADFS.  The non-modern auth clients perhaps I can play with later via ADFS but for now I cannot even get Outlook 2013 working (with the 2 needed reg keys)
You need to set the SupportsMfa switch to False, in order to make sure MFA happens in Azure and not on-prem. Details are for example in this article:

https://blogs.technet.microsoft.com/bulentozkir/2016/05/01/office-365-customers-who-have-adfs-installed-can-do-simple-filtered-mfa-using-adfs-claim-rules/

For clients that do not support MFA, you need to bypass the enforcement via claims rules (pass the authnmethodsreferences to 'trick' the service that MFA was performed).
Avatar of K B

ASKER

Vasil,

Thank you for your reply.  My SupportsMFA is set to false.

I seem to have taken a step back.. I am not even able to login to the MFA accounts via OWA anymore.

I have completely removed the RP
I re-federated only a single domain.
I have two test accounts with MFA enabled and all licenses in an E5 selected.

I now get the error while attempting to login to OWA & Outlook Mobile app etc..:

User generated image
Any ideas why?

Thank you.
Hard to tell like that, take a look at the event logs.
Avatar of K B

ASKER

I had to wipe out the ADFS WID db and start over.. not sure what happened there.
Anyway now I am able to login to OWA and it prompts me to use Microsoft Authenticator the first time.

Internally, each time after that, I am not challenged with MFA.  Are there additional steps to force MFA at this point?
Avatar of K B

ASKER

...i should say, It prompts me to choose a method for MFA..

effectively I dont know if there are any claim rules to configure or auth policies to configure.. there must be more, right?
Avatar of K B

ASKER

Apparently, I just needed to wait (quite a while) for the MFA to kick in for my test user.
When changing things on the AD FS server, always test with a Private session. Once you get the token, you will not be prompted for 2FA for a while. There are some controls for this, but in general you shouldnt need to change it. What happened with app passwords/non-MA clients?
Avatar of K B

ASKER

Vasil,

Where would I find the claim rule syntax for those clients?
ASKER CERTIFIED SOLUTION
Avatar of Vasil Michev (MVP)
Vasil Michev (MVP)
Flag of Bulgaria image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial