Google Federation with Entra ID - doesn't support MultipleAuthN SAML claim

Copper Contributor

Entra ID has a new Microsoft-managed conditional access policy that will be enabled from October 2024. However, Google doesn't support the MultipleAuthN claim that ADFS (and other IdPs) do. 

 

Is there a work-around for this, or we just need to ensure that the new Microsoft-managed conditional access policy is disabled for all users? Otherwise, we somehow need to enable double MFA (MFA at both Google and Microsoft).

 

I imagine this might be an issue for any other federated IdPs that don't support this specific SAML claim.

 

There is a new alternative to the `SupportsMFA` setting in the `Set-MsolDomainFederationSettings` powershell command, but it doesn't allow you to 'always assume MFA is utilised in the federation' - https://learn.microsoft.com/en-us/graph/api/internaldomainfederation-update?view=graph-rest-1.0&tabs...

 

Thanks in advance,

Nigel

2 Replies

@nigelss-tf 

 

You may consider Custom Claims Choreography or Conditional Access Exceptions 

Thanks @Kidd_Ip 
That might work for B2C but this is Google Workspace SSO as the IdP.  The assertion would need to come from the IdP or be assumed to be true at the SP.

I found this link, but it looks like it is still under consideration - https://issuetracker.google.com/issues/195687664?pli=1

 

Cheers,

Nigel