ADFS 2016 & Multiple MFA providers

%3CLINGO-SUB%20id%3D%22lingo-sub-1178463%22%20slang%3D%22en-US%22%3EADFS%202016%20%26amp%3B%20Multiple%20MFA%20providers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1178463%22%20slang%3D%22en-US%22%3E%3CP%3ECurrently%20running%20ADFS%202016%20with%20Duo%20as%20our%20MFA%20provider.%20We%20are%20planning%20to%20move%20to%20O365%20MFA%2C%20and%20would%20like%20to%20do%20it%20in%20a%20phased%20migration.%20A%20quick%20test%20shows%20that%20if%20both%20providers%20are%20selected%20in%20the%20configuration%2C%20the%20user%20is%20prompted%20to%20select%20which%20provider%20to%20use.%26nbsp%3B%20Two%20questions%2C%201)%20is%20there%20a%20way%20to%20customize%20this%20selection%20screen%3F%20and%202)%20is%20there%20a%20way%20to%20define%20which%20provider%20a%20user%20is%20taken%20to%20based%20on%20group%20membership%20in%20AD%3F%20Thanks.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1178463%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Eadfs%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eduo%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Emfa%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1179995%22%20slang%3D%22en-US%22%3ERe%3A%20ADFS%202016%20%26amp%3B%20Multiple%20MFA%20providers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1179995%22%20slang%3D%22en-US%22%3E%3CP%3EDepends%2C%20you%20might%20be%20able%20to%20force%20a%20specific%20method%20via%20claims%20rules%20(see%20for%20example%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdirteam.com%2Fsander%2F2017%2F01%2F16%2Fforcing-the-use-of-a-specific-azure-multi-factor-authentication-method-for-a-relying-party-trust-in-ad-fs%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdirteam.com%2Fsander%2F2017%2F01%2F16%2Fforcing-the-use-of-a-specific-azure-multi-factor-authentication-method-for-a-relying-party-trust-in-ad-fs%2F%3C%2FA%3E)%2C%20but%20if%20multiple%20providers%20use%20the%20same%20method%2C%20you'll%20have%20to%20edit%20the%20aspx%2Fjs%20files.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1317660%22%20slang%3D%22en-US%22%3ERe%3A%20ADFS%202016%20%26amp%3B%20Multiple%20MFA%20providers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1317660%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F141289%22%20target%3D%22_blank%22%3E%40Chris%20Kincaid%3C%2FA%3EThe%20best%20way%20I've%20found%20is%20to%20upgrade%20to%20ADFS%202019%2C%20raise%20the%20FBL%2C%20and%20then%20follow%20advice%20from%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fanswers%2Fquestions%2F18531%2Fadfs-2019-multiple-mfa-provider-selection-on-rp.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fanswers%2Fquestions%2F18531%2Fadfs-2019-multiple-mfa-provider-selection-on-rp.html%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Currently running ADFS 2016 with Duo as our MFA provider. We are planning to move to O365 MFA, and would like to do it in a phased migration. A quick test shows that if both providers are selected in the configuration, the user is prompted to select which provider to use.  Two questions, 1) is there a way to customize this selection screen? and 2) is there a way to define which provider a user is taken to based on group membership in AD? Thanks. 

2 Replies
Highlighted

Depends, you might be able to force a specific method via claims rules (see for example here: https://dirteam.com/sander/2017/01/16/forcing-the-use-of-a-specific-azure-multi-factor-authenticatio...), but if multiple providers use the same method, you'll have to edit the aspx/js files.

Highlighted

@Chris KincaidThe best way I've found is to upgrade to ADFS 2019, raise the FBL, and then follow advice from https://docs.microsoft.com/answers/questions/18531/adfs-2019-multiple-mfa-provider-selection-on-rp.h...