SOLVED

ADFS And multiple MFA Providers

%3CLINGO-SUB%20id%3D%22lingo-sub-104590%22%20slang%3D%22en-US%22%3EADFS%20And%20multiple%20MFA%20Providers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-104590%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20looking%20at%20%26nbsp%3Bmaybe%20switching%20our%20MFA%20tokens%20from%20one%20token%20provider%20to%20another.%20Rather%20then%20making%20that%20switch%20all%20at%20once%20we%20would%20like%20to%20do%20it%20a%20stataged%20manner.%20%26nbsp%3BI%20am%20wondering%20if%20its%20possible%20to%20control%20with%20groups%20what%20authentication%20provider%20is%20used%20for%20a%20user%20if%20an%20RP%20is%20configured%20for%20MFA%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20currently%20are%20running%20ADFS%20on%20Windows%202012R2%20.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-104590%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-105364%22%20slang%3D%22en-US%22%3ERe%3A%20ADFS%20And%20multiple%20MFA%20Providers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-105364%22%20slang%3D%22en-US%22%3E%3CP%3EThat%20you%20can%20control%20with%20claims%20rules.%20Just%20make%20sure%20to%20send%20the%3C%2FP%3E%3CP%3E%3CI%3E%3CA%20href%3D%22http%3A%2F%2Fschemas.microsoft.com%2Fclaims%2Fauthnmethodsreferences%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fschemas.microsoft.com%2Fclaims%2Fauthnmethodsreferences%3C%2FA%3E%3C%2FI%3E%26nbsp%3Bclaim%20or%20you%20will%20get%20login%20loops.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELook%20up%20%22SupportsMFA%22%20to%20get%20more%20info%2C%20here's%20one%20good%20post%3A%20%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fbulentozkir%2F2016%2F05%2F01%2Foffice-365-customers-who-have-adfs-installed-can-do-simple-filtered-mfa-using-adfs-claim-rules%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.technet.microsoft.com%2Fbulentozkir%2F2016%2F05%2F01%2Foffice-365-customers-who-have-adfs-installed-can-do-simple-filtered-mfa-using-adfs-claim-rules%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-105355%22%20slang%3D%22en-US%22%3ERe%3A%20ADFS%20And%20multiple%20MFA%20Providers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-105355%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20similar%20requirment.%20We%20implement%20a%20MFA%20for%20ADFS%20and%20also%20use%20Microsoft%20MFA%20solution.%3C%2FP%3E%3CP%3EWe%20want%20to%20let%20specific%20group%20to%20use%20our%20own%20MFA%20and%20others%20use%20Microsoft%20MFA.%3C%2FP%3E%3CP%3EEmployee%20won't%20want%20to%20select%20which%20MFA%20they%20need%20since%20they%20will%20be%20confused.%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20more%20information%20about%20how%20to%20do%20it%20to%20make%20the%20login%20page%20automatically%20select%20MFA%20provider%20for%20user%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-105085%22%20slang%3D%22en-US%22%3ERe%3A%20ADFS%20And%20multiple%20MFA%20Providers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-105085%22%20slang%3D%22en-US%22%3E%3CP%3EI%20kind%20of%20figured%20that%20but%20figured%20no%20harm%20in%20asking.%20%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-104687%22%20slang%3D%22en-US%22%3ERe%3A%20ADFS%20And%20multiple%20MFA%20Providers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-104687%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20will%20have%20to%20use%20some%20custom%20solution%20for%20that%2C%20AD%20FS%20will%20display%2Fallow%20all%20available%20MFA%20methods.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

We are looking at  maybe switching our MFA tokens from one token provider to another. Rather then making that switch all at once we would like to do it a stataged manner.  I am wondering if its possible to control with groups what authentication provider is used for a user if an RP is configured for MFA?

 

We currently are running ADFS on Windows 2012R2 .

4 Replies
Highlighted
Solution

You will have to use some custom solution for that, AD FS will display/allow all available MFA methods.

Highlighted

I kind of figured that but figured no harm in asking.  

Thanks!

Highlighted

I have similar requirment. We implement a MFA for ADFS and also use Microsoft MFA solution.

We want to let specific group to use our own MFA and others use Microsoft MFA.

Employee won't want to select which MFA they need since they will be confused. 

Is there more information about how to do it to make the login page automatically select MFA provider for user? 

Highlighted

That you can control with claims rules. Just make sure to send the

http://schemas.microsoft.com/claims/authnmethodsreferences claim or you will get login loops. 

 

Look up "SupportsMFA" to get more info, here's one good post: https://blogs.technet.microsoft.com/bulentozkir/2016/05/01/office-365-customers-who-have-adfs-instal...