Before I jump right into it, I want to state my goals
- I want to use Azure MFA with ADFS 2016 for authentication of on-prem users
- I want to use phone call or text to authenticate my users.
What I have done
- I have setup Azure MFA with conditional access rule requiring MFA for specific set of users.
- I have registered in one of the MFA required users in MFA. I selected phone call as default authentication.
- I have installed and configured an ADFS farm. Number of nice blogs on how to do it. I used this.
- I installed a claims aware sample application and setup relying party trust with the ADFS 2016.
Connect up ADFS with Azure MFA
To complete configuration for Azure MFA for AD FS 2016, you need to configure each AD FS server using the steps described
- Open an elevated PowerShell prompt
-
Ensure you have the MSOnline PowerShell module installed. If you do not, execute
Install-Module MSOnline
-
Execute
$certbase64 = New-AdfsAzureMfaTenantCertificate -TenantID <tenantID>
where <tenantID>
is the .onmicrosoft.com name of your Azure Active Directory tenant
-
Execute
Connect-MsolService
Provide global admin credentials for your Azure Active Directory tenant
-
Execute
New-MsolServicePrincipalCredential -AppPrincipalId 981f26a1-7f43-403b-a875-f8b09b8cd720 -Type asymmetric -Usage verify -Value $certBase64
The next step is only executed on one AD FS server in the farm. If the AD FS farm uses SQL server as the configuration store, you may choose any AD FS server. If the AD FS farm uses WID as the configuration store, you must choose the primary AD FS server in the farm
-
Execute
Set-AdfsAzureMfaTenant -TenantId <tenant ID> -ClientId 981f26a1-7f43-403b-a875-f8b09b8cd720
where <tenantID>
is the .onmicrosoft.com name of your Azure Active Directory tenant
The final step is to restart the AD FS service on all AD FS servers in the farm. This may be done using PowerShell –
-
Execute
Restart-Service adfssrv
Testing the Azure MFA on ADFS
You will now see Azure MFA as an option in the Primary tab of the authentication methods properties.
Azure MFA as Primary Authentication
In ADFS, If you select Integrated Windows Authentication (IWA) as one of primary, then Windows will automatically default to that and log the use in without a login menu. If you select something else like Forms than a menu is present to the user on the login screen and the user can select MFA. The MFA option for the user is to provide a verification code from the Microsoft Mobile App. This is the only verification method available if you select Azure MFA on the primary authentication option.
Azure MFA as secondary authentication
In the primary option, uncheck Azure MFA and select another one of the other options. Go to the Multi-factor tab and select Azure MFA. This means that after the primary has finished, the user will be presented with a secondary authentication method (Azure MFA). This second authentication allows for the use of phone call or text. But there is something to note about Azure MFA and ADFS 2016 since it is dependent on the implementation of the conditional access rule. The following rule applies
| Configuration Scenario | Azure Conditional Access is Available? |
| Application is a relying party to Azure AD. Azure AD is federated with AD FS 2016 | Yes |
| Application is a relying party to AD FS 2016. Azure AD may be managed or federated with AD FS 2016 | No |
| AD FS 2016 is configured to use Azure MFA as the primary authentication method | No |
So in my case which falls under Use Case 2, my conditional access will not work and so Azure MFA will not work. I discovered that after the primary authentication finishes, I would get access to the application.
The option in my case would be to use Azure MFA on-prem. At least for now. There are new updates and developments every week so I will keep monitoring and let you know when it changes!
tlktechidentitythoughts 