ProviderAuthInfoList: FormsAuthentication Urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport Urn:oasis:names:tc:SAML:2.0:ac:classes:Password Second stage authDomain: AuthenticationMethods: On AD FS Tracing logs, we see on same event ID 155 Secondary authentication:
Second authentication prompt: Forms-based authentication with username and password ProviderAuthInfoList: AzureMfaServerAuthentication Primary stage authDomain: AuthenticationMethods: On AD FS Tracing logs, checking event ID 155, we get more information on the Primary authentication: With the policy properly configured, let’s have our user accessing which belongs to Office 365 Relying Party Trust configured above.įirst authentication prompt: MFA Server with Phone SMS method To have Multi-factor required, configure the Access Control Policy on AD FS with setting Permit everyone and require MFA as below: Using PowerShell, run the command below: Set-AdfsClaimsProviderTrust -AnchorClaimType "" -TargetName "Active Directory" With the option enabled, now we can select Azure Multi-Factor Authentication Server, previously additional authentication method only, now on the Primary authentication tab:Īs our goal is to setup multi-factor authentication, on Additional Tab, we’ll use Forms Authentication to have users provide username and password as a second-factor authentication when the user has already authenticated using MFA Server as primary auth:Īs recommended on AD FS 2019 version, you need to change the anchor type on the Active Directory Claims Provider Trust from windowsaccountname to UPN as properly documented on this official document: You will receive a warning message regarding AD FS custom pages as below: Open AD FS console on your AD FS server version 2019, expand Service » Authentication Methods » Select option: Allow additional authentication providers as primary
As mentioned previously, Azure MFA can be used as well. In case you have MFA Server environment setup, I will consider one already deployed MFA Server connector setup. If you plan to use Azure MFA with AD FS, but currently don’t have the service configured, check this official documentation to have it configured: Configure AD FS 2016 and Azure MFA | Microsoft DocsĮnabling the MFA Server as the primary authentication method To check the full list of supported adapters, please check this link. On this article, we’ll setup Azure Multi-Factor Authentication Server adapter, but these steps can be applied to Azure MFA adapter or any third-party additional authentication method supported by AD FS. Today we’re going to share how to enable additional authentication method to be used as primary authentication on AD FS.
0 kommentar(er)
