May 19 2018
- last edited on
Jul 24 2020
Is this possible
We have our domain federated with ADFS, this is for our O365 users. So when logging on to O365 home realm discovery pushes us to ADFS for authentication.
Now I want to use SAML/Azure MFA against an enterprise application which we have created in Azure. When our enterprise application redirects users to Azure for authentication, rather than being authenticated with Azure MFA we enter our email address and again home realm discovery pushes us to ADFS.
How can I have it that O365 is auth with ADFS, but our enterprise application uses Azure MFA and doesn't redirect to ADFS via HRD? Do I need conditional access policy set against enterprise application?
May 21 2018 02:35 PM
I don't think this is possible. If your domain is federated with AD FS, then the 1st authentication factor will be redirected to your on-premises AD, regardless if it's an enterprise app or not. MFA is triggered after a successful authentication token is granted (whether on premises or AAD). CA does have the option to not offer MFA in some conditions, but I'm not sure you want to do that. Are you enterprise applications users coming in from the Intranet?