ADFS 2016 and Azure MFA

Before I jump right into it, I want to state my goals

  1. I want to use Azure MFA with ADFS 2016 for authentication of on-prem users
  2. I want to use phone call or text to authenticate my users.

What I have done

  1. I have setup Azure MFA with conditional access rule requiring MFA for specific set of users.
  2. I have registered in one of the MFA required users in MFA. I selected phone call as default authentication.
  3. I have installed and configured an ADFS farm. Number of nice blogs on how to do it. I used this.
  4. I installed a claims aware sample application and setup relying party trust with the ADFS 2016.

Connect up ADFS with Azure MFA

To complete configuration for Azure MFA for AD FS 2016, you need to configure each AD FS server using the steps described

  1. Open an elevated PowerShell prompt
  2. Ensure you have the MSOnline PowerShell module installed. If you do not, execute

    Install-Module MSOnline

  3. Execute

    $certbase64 = New-AdfsAzureMfaTenantCertificate -TenantID <tenantID>

    where <tenantID>

    is the name of your Azure Active Directory tenant

  4. Execute


    Provide global admin credentials for your Azure Active Directory tenant

  5. Execute

    New-MsolServicePrincipalCredential -AppPrincipalId 981f26a1-7f43-403b-a875-f8b09b8cd720 -Type asymmetric -Usage verify -Value $certBase64

The next step is only executed on one AD FS server in the farm. If the AD FS farm uses SQL server as the configuration store, you may choose any AD FS server. If the AD FS farm uses WID as the configuration store, you must choose the primary AD FS server in the farm

  1. Execute

    Set-AdfsAzureMfaTenant -TenantId <tenant ID> -ClientId 981f26a1-7f43-403b-a875-f8b09b8cd720

    where <tenantID>

    is the name of your Azure Active Directory tenant

The final step is to restart the AD FS service on all AD FS servers in the farm. This may be done using PowerShell –

  1. Execute

    Restart-Service adfssrv

Testing the Azure MFA on ADFS

You will now see Azure MFA as an option in the Primary tab of the authentication methods properties.

Azure MFA as Primary Authentication

In ADFS, If you select Integrated Windows Authentication (IWA) as one of primary, then Windows will automatically default to that and log the use in without a login menu. If you select something else like Forms than a menu is present to the user on the login screen and the user can select MFA. The MFA option for the user is to provide a verification code from the Microsoft Mobile App. This is the only verification method available if you select Azure MFA on the primary authentication option.

Azure MFA as secondary authentication

In the primary option, uncheck Azure MFA and select another one of the other options. Go to the Multi-factor tab and select Azure MFA. This means that after the primary has finished, the user will be presented with a secondary authentication method (Azure MFA). This second authentication allows for the use of phone call or text. But there is something to note about Azure MFA and ADFS 2016 since it is dependent on the implementation of the conditional access rule. The following rule applies

Configuration Scenario Azure Conditional Access is Available?
Application is a relying party to Azure AD. Azure AD is federated with AD FS 2016 Yes
Application is a relying party to AD FS 2016. Azure AD may be managed or federated with AD FS 2016 No
AD FS 2016 is configured to use Azure MFA as the primary authentication method No

So in my case which falls under Use Case 2, my conditional access will not work and so Azure MFA will not work. I discovered that after the primary authentication finishes, I would get access to the application.

The option in my case would be to use Azure MFA on-prem. At least for now. There are new updates and developments every week so I will keep monitoring and let you know when it changes!