Forcing the use of a specific Azure Multi-Factor Authentication method for a Relying Party Trust in AD FS

Active Directory Federation Services (AD FS) in combination with Azure Multi-Factor Authentication (MFA) Server work together when you install and configure the Azure MFA Adapter for AD FS.

Now, per Relying Party Trust (RPT) in Active Directory Federation Services (AD FS), you might want to force the use of a specific Azure Multi-Factor Authentication method.

The default checkboxes in the Global Authentication Policies and Authentication Policies per Relying Party Trust allow to enable and/or disable Multi-Factor Authentication as a requirement to log on on a per user  basis, for the extranet and/or intranet and for managed and/or unmanaged devices. Now, for a lot of scenarios, these option are inadequate. Not to worry, because you can use the Edit claim rules… option from the AD FS Management Console (Microsoft.IdentityServer.msc) for a specific Relying Party Trust in the list.

The default way to do this, is to add the following line to the Claims Issuance Rule for the Relying Party Trust (RPT):

=> issue(Type = “http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod”, Value = “http://schemas.microsoft.com/claims/multipleauthn”);

Now, this claim rule will trigger the use of Multi-Factor Authentication, but it doesn’t force the use of a specific Azure Multi-Factor Authentication method.

To achieve this, we need to use an additional claims issuance rule.
This is pretty simple, because Azure MFA Server and the Active Directory Federation Services (AD FS) Security Token Service (STS) add the method to a claimtype called authmethod.

 

Available methods

When you look at the logging produces when you enable AD FS Auditing, you can clearly see the claimtypes floating by:

A typical ADFS Claim through AD FS logging Event ID 501 (click for larger screenshot)

Now, in the example above, the last claimtype specifies the the Azure Multi-Factor Authentication method used.

The table below lists the claimtype in relationship with the Azure Multi-Factor Authentication method used, based on AD FS on Windows Server 2012 R2 (AD FS 3.0) and Azure Multi-Factor Authentication Server version 7.1.2.1:

Table with available claims and Multi-factor Authentication methods

Let’s look at each of these a little deeper:

 

Forcing a method

Now all we need to do, to force the use of the phone call as the specific Azure Multi-Factor Authentication method for a Relying Party Trust in AD FS, is to edit the above Claims Issuance rule to look like this:

=> issue(Type = “http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod”, Value = “http://schemas.microsoft.com/ws/2012/12/authmethod/otp”);

 

Recommendations

Now, this approach leads to a couple of interesting observations:

  1. The Active Directory Federation Services (AD FS) Extensible Authentication Framework (EAF) feature, that the Azure MFA Adapter uses, does not offer the ability to force a specific authentication method. When you don’t use the method specified, you get prompted for multi-factor authentication again and again. To this purpose, enable the Prompt for user method feature.
  2. When a user does not have the appropriate method configured, redirect him/her to the MFA Server User Portal to configure it.

Further reading

Azure MFA Server 7.1.2.1 Release Notes
Choosing the right Azure MFA authentication methods
Azure Multi-Factor Authentication Server version 7.1.2.1 for your convenience
Azure Multi-Factor Authentication Server version 7.0.2.1 is here
Azure Multi-Factor Authentication Server reaches version 7.0.0.9 
Prompting colleagues for their Multi-Factor Authentication method in AD FS

One Response to Forcing the use of a specific Azure Multi-Factor Authentication method for a Relying Party Trust in AD FS

  1.  

    very nice post, i undcoubtedly really like this fabulous site, persist with it

leave your comment