Choosing ADFS Multi-factor authentication mode based on AD Group Membership

Copper Contributor

I'm currently trying to evaluate Azure MFA as a replacement for Cisco Duo as our main MFA provider. However, currently we have Duo set as the only MFA method and I'd like to be able to change from Duo to Azure MFA based on a particular user's membership of a AD group. We use ADFS 2016 to federate with our external applications.

This way, we can test Azure MFA without any disruption and conduct a phased migration from Duo to Azure MFA in the future.


Looking at the Access Control Policy in ADFS, this gives me the option to require MFA for a specific group but not the ability to choose the MFA method. 

Is there anyway this could be achieved without needing to modify our existing Relying Party Trusts or displaying both options to all our users?




1 Reply