Configure AD FS 2016 and Azure MFA - How do I get the guid for Azure Multi-Factor Auth Client?
Hi All, I am trying to Configure AD FS 2016 and Azure MFA as shown on the Microsoft site: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa#step-1-generate-a-certificate-for-azure-mfa-on-each-ad-fs-server-using-the-new-adfsazuremfatenantcertificate-cmdlet It says "981f26a1-7f43-403b-a875-f8b09b8cd720 is the guid for Azure Multi-Factor Auth Client" but doesn't show how we get this GUID. When I try the command I get an error message I think is related to the GUID. How do I get the guid for Azure Multi-Factor Auth Client? I hope you can help ColinHow to test MFA on a ADFS server
Hi All, I have setup a test ADFS server with Multi factor Authentication as shown on some web sites. https://docs.microsoft.com/en-us/powershell/module/adfs/set-adfsazuremfatenant?view=win10-ps My question is how do I test it is configured correctly? All of the step-by-step setup guides I have seen only show how to setup MFA on a ADFS server, but they do not show how to test the setup. I hope you can help. Thanks, Colin
Office 2016 client application not presented with ADFS Home Realm Discovery
ADFS 2016 (resource domain) with federated ADFS 2016 partner (user domain). Both ADFS environments are published with a Web Application Proxy residing in the same DMZ. When using a browser, and navigating to a site within the sharepoint environment (externally), we're prompted with the ADFS authentication chooser page (presented from the Resource ADFS). This allows us to choose whether to login using User domain credentials or Resource domain credentials. When we use an Office 2016 client application, however, we are not presented with the authentication chooser page, we're only presented with the Resource login form. This is unexpected and naturally prevents anyone from the User domain from being able to authenticate and thus can't open a file. I haven't been able to find any references online for this issue, so any help would be greatly appreciated. Trevor Seward UPDATE-1: Additional info... compared fiddler capture on what should be a very similar conversation between browser accessing/authenticating/authorizing to SharePoint (on-premise) versus office client application accessing/authenticating/authorizing to SharePoint. The Office application capture presents a FedAuth cookie and all items in the header I would expect. The response it gets back includes: X-Forms-Based_Auth_Required: [adfs URI] ... at the end of this URL i see a parameter 'context=MSOFBA' However when I look at the browser capture, I'm seeing 'RedirectToIdentityProvider=[url for User domain ADFS]. So I'm assuming SharePoint intuitively holds a trust token for a UserDomain user via it's claims. Trusted by SharePoint because it trusts it's own Resourcedomain ADFS. However, Office2016 client application has no such relationship and all it gets from SharePoint is "you need to go over here to authenticate which is to the same-domain ADFS login form page"? Similarly, if i use a browser to go to "https://namespace.com/sites/site/Shared%20Documents/?context=MSOFBA" ... I get sent to a provider chooser... If i choose ADFS, i then get the ADFS Authentication Chooser which is what I need the Office 2016 client application to do... UPDATE-2: (Perhaps this is more of an ADFS response question) I had a chance to read through a fair amount of the Microsoft online documentation on MS-OFBA. From what I understand, the Office 2016 client application is abiding by the MS-OFBA protocol by including specific options in the Request header. Additionally, ADFS also appears to be responding properly with Response headers: * X-Forms_Based_Auth_Required: [parameterized URI] * X-Forms_Based_Auth_Return_Url: [URL to web application] So the biggest question I haven't been able to find an answer to is: How do we force ADFS to present the ADFS Home Realm Discovery (HRD) page (When Office 2016 client app authenticates) instead of automatically displaying the 'local' Active Directory provider login? I have found some potential in modifying the ADFS onload.js, but am not sure this is the right path. --to be continued--
Need advice on setting up ADFS, Azure AD Connect, and Multifactor Authentication
Hi All, I’ve been asked to setup an ADSF server to give multifactor authentication for a client company. I know how to setup multi-factor authentication for Office 365 environment, but have never setup ADFS and multifactor authentication. Can you please answer some questions to point me in the right direction: Is there a video or a webpage that has step-by-step, beginners guide on setting up ADFS and Multifactor Authentication? Is ADFS being phased out and being replaced by the Azure AD Connect application? What are the benefits of using Azure AD with ADFS to setup multifactor-authentication? If I persuade the company to purchase Azure AD to use in conjunction with ADFS to setup multifactor authentication, is there a video or a webpage that has a step-by-step, beginners guide on setting up Azure AD, ADFS and Multifactor Authentication? I hope you can help and any advice will be greatly appreciated. ThanksADFS and multi-factor authenitcation on one server located on an Azure VM
Hi all, Is it possible to setup ADFS and multi-factor authentication on one server? The server will be located on an Azure Virtual Machine and we will be installing Windows Server 2016. We can only afford to use one Azure VM server at present. If it is possible without any issues can you please send some website urls, or video links. I hope you can help. Thanks. Colin
ADFS URL change for federated login to O365
Hello, I'm looking to update our ADFS URL, for example, adfs.123uk.com to adfs.123.com. The ADFS servers and infrastructure are remaining the same. I know how to update the federation server but I'm struggling to find a way to tell Office365 about the new url. Is it just a case of running 'Set-MsolADFSContext –computer <the FQDN of the AD FS server>' . Which is the step when you first setup ADFS with O365.
