Prompting colleagues for their Multi-Factor Authentication method in AD FS

PhoneFactorSince version 7 of the on-premises Azure MFA Server, a new setting is available that might make sense in your Hybrid Identity environment when using Active Directory Federation Services (AD FS), called Prompt for user’s method.

According to the Azure MFA Server 7.1.2.1 Release Notes, this feature is available since version 7.0.0.9.

In the release notes the feature is described as:

AD FS adapter now displays a list of MFA methods to choose from based on

  1. options configured under the Allow users to select method checkbox and
  2. the information registered by the user.

This allows users to choose a preferred authentication method each time they sign in. Alternatively, the adapter can perform the users default MFA method immediately, then display the list of options if the user doesnt respond. Note that users connecting from Windows Phone whose default method is Mobile App will always see the list of options except Mobile App due to a known issue where the app being accessed loses state when switching over to the authenticator app, thus resulting in a failed authentication after completing MFA.

This feature makes this configuration very easy to implement for version 7 of Azure MFA, and up. Let’s dive into it:

 

Prior to Azure MFA Server version 7

For versions of Azure MFA Server prior to version 7, you needed to add an extra line of text to the MultiFactorAuthenticationAdfsAdapter.config file, before registering the Azure Multi-Factor Authentication (MFA) Active Directory Federation Services (AD FS) Adapter.

To enable the Prompt for user’s method feature, you needed to add the following line:

<AutomaticallyTriggerUserDefaultMethod>False</AutomaticallyTriggerUserDefaultMethod>

To Automatically trigger user’s default method, use the following line:

<AutomaticallyTriggerUserDefaultMethod>True</AutomaticallyTriggerUserDefaultMethod>

 

When you had already registered an Azure Multi-Factor Authentication (MFA) Active Directory Federation Services (AD FS) Adapter, you had to disable the MFA provider in AD FS, unregister the adapter, re-register the adapter and then enable the MFA provider in AD FS again, just to switch this functionality on or off. A lot of hassle for a setting that feels trivial…

 

Azure MFA Server version 7, and up

To enable or disable the Automatically trigger user’s default method in Azure Multi-Factor Authentication (MFA) Server version 7, and up, you can use the Azure MFA Server Management User Interface (MultiFactorAuthUI.exe).

In Global Settings, select or deselect the option to Automatically trigger user’s default method under Allow users to select method.

Global Settings in Azure MFA Server (click for larger screenshot)

This change is almost immediate. You don’t need to reset or restart, de-register or re-register the Azure MFA AD FS Adapter(s) to make it happen.

 

Further reading

Azure MFA Server 7.1.2.1 Release Notes 
Choosing the right Azure MFA authentication methods 
Azure Multi-Factor Authentication Server version 7.1.2.1 for your convenience 
Azure Multi-Factor Authentication Server version 7.0.2.1 is here 
Azure Multi-Factor Authentication Server reaches version 7.0.0.9

leave your comment