Active Directory Federation Services (AD FS) in combination with Azure Multi-Factor Authentication (MFA) Server work together when you install and configure the Azure MFA Adapter for AD FS.
Now, per Relying Party Trust (RPT) in Active Directory Federation Services (AD FS), you might want to force the use of a specific Azure Multi-Factor Authentication method.
The default checkboxes in the Global Authentication Policies and Authentication Policies per Relying Party Trust allow to enable and/or disable Multi-Factor Authentication as a requirement to log on on a per user basis, for the extranet and/or intranet and for managed and/or unmanaged devices. Now, for a lot of scenarios, these option are inadequate. Not to worry, because you can use the Edit claim rules… option from the AD FS Management Console (Microsoft.IdentityServer.msc) for a specific Relying Party Trust in the list.
The default way to do this, is to add the following line to the Claims Issuance Rule for the Relying Party Trust (RPT):
=> issue(Type = “http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod”, Value = “http://schemas.microsoft.com/claims/multipleauthn”);
Now, this claim rule will trigger the use of Multi-Factor Authentication, but it doesn’t force the use of a specific Azure Multi-Factor Authentication method.
To achieve this, we need to use an additional claims issuance rule.
This is pretty simple, because Azure MFA Server and the Active Directory Federation Services (AD FS) Security Token Service (STS) add the method to a claimtype called authmethod.
When you look at the logging produces when you enable AD FS Auditing, you can clearly see the claimtypes floating by:
Now, in the example above, the last claimtype specifies the the Azure Multi-Factor Authentication method used.
The table below lists the claimtype in relationship with the Azure Multi-Factor Authentication method used, based on AD FS on Windows Server 2012 R2 (AD FS 3.0) and Azure Multi-Factor Authentication Server version 184.108.40.206:
Let’s look at each of these a little deeper:
- http://schemas.microsoft.com/ws/2012/12/authmethod/phoneconfirmation indicates the use of the Standard Phone call.
- http://schemas.microsoft.com/ws/2012/12/authmethod/voicebiometric indicates that Phone call was successful with a PIN returned.
- http://schemas.microsoft.com/ws/2012/12/authmethod/smsreply signals the use of the Two-Way OTP used within the Text message method, whereas http://schemas.microsoft.com/ws/2012/12/authmethod/smsotp indicates One-Way OTP within the Text message method.
- http://schemas.microsoft.com/ws/2012/12/authmethod/phoneappnotification is a result of pressing Verify in the Azure Authenticator Mobile App.
- http://schemas.microsoft.com/ws/2012/12/authmethod/otp is the latest addition to the methods offered by Azure Multi-Factor Authentication Server. It indicates the use of an OATH-compatible token.
- http://schemas.microsoft.com/ws/2012/12/authmethod/kba is one that you won’t find often, since it’s the claim issued when you log in using the security answers. By default, this is a fall-back method to log onto the User Portal, only.
Forcing a method
Now all we need to do, to force the use of the phone call as the specific Azure Multi-Factor Authentication method for a Relying Party Trust in AD FS, is to edit the above Claims Issuance rule to look like this:
=> issue(Type = “http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod”, Value = “http://schemas.microsoft.com/ws/2012/12/authmethod/otp”);
Now, this approach leads to a couple of interesting observations:
- The Active Directory Federation Services (AD FS) Extensible Authentication Framework (EAF) feature, that the Azure MFA Adapter uses, does not offer the ability to force a specific authentication method. When you don’t use the method specified, you get prompted for multi-factor authentication again and again. To this purpose, enable the Prompt for user method feature.
- When a user does not have the appropriate method configured, redirect him/her to the MFA Server User Portal to configure it.
Azure MFA Server 220.127.116.11 Release Notes
Choosing the right Azure MFA authentication methods
Azure Multi-Factor Authentication Server version 18.104.22.168 for your convenience
Azure Multi-Factor Authentication Server version 22.214.171.124 is here
Azure Multi-Factor Authentication Server reaches version 126.96.36.199
Prompting colleagues for their Multi-Factor Authentication method in AD FS