ADFS 2016 Eliminate Passwords from the Extranet Questions

Copper Contributor

Hi Community I have a few questions around ADFS in 2016 and Azure  if anyonbody has some experience.

The TechNet documentation around this is a bit vague on details and am trying to determine the end user effect of upgrading and enabling the option to use Azure MFA as the Primary Auth method for Extranet Access in ADFS.

The documentation states:

  • “With Azure MFA as the primary authentication method, the user is prompted for their username and the OTP code from the Azure Authenticator app.”

So we need to find some answers to the following questions before I can implment this solution;

1) Does this mean that the ‘Approve / Decline’ prompt is no longer valid and each and every time MFA is evoked, the user must use the 6 digit OTA code instead?

    • Also, does the user get a prompt for their password after successful 2 factor prompt at all?

2) Can the user still specify alternative options should they not be able to use / get the OTA code such as SMS, callback etc


3) Currently I have Conditional MFA specified via Azure - not an ADFS Claim rule. Will this be effected by this change in auth method (I presume not but want to check)


4) We also leverage Azure Password Self Service. Will this be impacted on using this changed Auth method?


I know this may be a bit much to ask in one thread but I'm struggling to get any answers and can't simply try it out :)


Thanks all for any input.





1 Reply

1) yes, Code is the only supported method atm. You cannot use the app prompts to quickly approve/deny.

2) again, Code is the only supported method. For Primary auth that is. You can still configure MFA as secondary auth and enable any methods you want.

3) If you are not sending claims back to AAD, it will still ask the user to perfom Azure MFA challenge (if in scope of the conditional access policy)

4) I dont think so