K B
asked on
ADFS: Step by Step to enable MFA with ADFS
Is there a document that describes this... both for Modern Auth tenants and legacy tenants?
Effectively I would like to know the claim rules to enforce MFA.
Effectively I would like to know the claim rules to enforce MFA.
ASKER
Thank you for your reply. I am just trying to get the basics up an running. I thought I had modern auth clients working but that only seems to be true of the Outlook mobile app.
I think the article discusses additional rules.
I think the article discusses additional rules.
ASKER
I'm actually referring to Office 365 based MFA and not the on-premises Azure Multi-Factor Authentication server
I see, did you enable the user(s) in the O365 Admin center for MFA?
https://support.office.com/en-us/article/Set-up-multi-factor-authentication-for-Office-365-users-8f0454b2-f51a-4d9c-bcde-2c48e41621c6?ui=en-US&rs=en-US&ad=US#enablemfaoffice365
https://support.office.com/en-us/article/Set-up-multi-factor-authentication-for-Office-365-users-8f0454b2-f51a-4d9c-bcde-2c48e41621c6?ui=en-US&rs=en-US&ad=US#enablemfaoffice365
ASKER
Yep. Frankly that is pretty much all I did.. I did test a ton of other stuff but the switch for the user's MFA is all that I have currently.
I'm pretty sure O365 MFA is only phone or text. You do not have the options to mess with claim based rules since you have no control over the AD FS policies . I could be wrong though.
ASKER
I am trying to enable MFA without involving ADFS. The non-modern auth clients perhaps I can play with later via ADFS but for now I cannot even get Outlook 2013 working (with the 2 needed reg keys)
You need to set the SupportsMfa switch to False, in order to make sure MFA happens in Azure and not on-prem. Details are for example in this article:
https://blogs.technet.microsoft.com/bulentozkir/2016/05/01/office-365-customers-who-have-adfs-installed-can-do-simple-filtered-mfa-using-adfs-claim-rules/
For clients that do not support MFA, you need to bypass the enforcement via claims rules (pass the authnmethodsreferences to 'trick' the service that MFA was performed).
https://blogs.technet.microsoft.com/bulentozkir/2016/05/01/office-365-customers-who-have-adfs-installed-can-do-simple-filtered-mfa-using-adfs-claim-rules/
For clients that do not support MFA, you need to bypass the enforcement via claims rules (pass the authnmethodsreferences to 'trick' the service that MFA was performed).
ASKER
Vasil,
Thank you for your reply. My SupportsMFA is set to false.
I seem to have taken a step back.. I am not even able to login to the MFA accounts via OWA anymore.
I have completely removed the RP
I re-federated only a single domain.
I have two test accounts with MFA enabled and all licenses in an E5 selected.
I now get the error while attempting to login to OWA & Outlook Mobile app etc..:
Any ideas why?
Thank you.
Thank you for your reply. My SupportsMFA is set to false.
I seem to have taken a step back.. I am not even able to login to the MFA accounts via OWA anymore.
I have completely removed the RP
I re-federated only a single domain.
I have two test accounts with MFA enabled and all licenses in an E5 selected.
I now get the error while attempting to login to OWA & Outlook Mobile app etc..:
Any ideas why?
Thank you.
Hard to tell like that, take a look at the event logs.
ASKER
I had to wipe out the ADFS WID db and start over.. not sure what happened there.
Anyway now I am able to login to OWA and it prompts me to use Microsoft Authenticator the first time.
Internally, each time after that, I am not challenged with MFA. Are there additional steps to force MFA at this point?
Anyway now I am able to login to OWA and it prompts me to use Microsoft Authenticator the first time.
Internally, each time after that, I am not challenged with MFA. Are there additional steps to force MFA at this point?
ASKER
...i should say, It prompts me to choose a method for MFA..
effectively I dont know if there are any claim rules to configure or auth policies to configure.. there must be more, right?
effectively I dont know if there are any claim rules to configure or auth policies to configure.. there must be more, right?
ASKER
Apparently, I just needed to wait (quite a while) for the MFA to kick in for my test user.
When changing things on the AD FS server, always test with a Private session. Once you get the token, you will not be prompted for 2FA for a while. There are some controls for this, but in general you shouldnt need to change it. What happened with app passwords/non-MA clients?
ASKER
Vasil,
Where would I find the claim rule syntax for those clients?
Where would I find the claim rule syntax for those clients?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://blog.enowsoftware.com/solutions-engine/ad-fs-claims-rules-and-modern-authentication