Planning for mandatory multifactor authentication for Azure

Microsoft has announced that starting in October of this year, MFA will be required to sign-in to Azure portal, Microsoft Entra admin center, and Intune admin center.

We have several customers who are using NAM as an IdP via WS-Fed federation, and I assume there must be many more out there.
Does anyone know if there is a way to satisfy this requirement without having to abandon NAM as an IdP with WS-Fed?
Has anyone dealt with this yet?

  • 0

    To add some more information, I see that Microsoft indicates that "external multifactor authentication solutions and federated identity providers will continue to be supported and will meet the MFA requirement if they are configured to send an MFA claim".

    The question is, how can we send the MFA claim with WS-Fed?

  • 0   in reply to 

    There is additional attribute that needs to be sent, I'll search for it tomorrow and let you know.

    But in addition to that you also need to tell MS that IDP will provide MFA information, which can be done by running

    Set-MsolDomainFederationSettings -DomainName <deferated domain> -PromptLoginBehavior Disabled -SupportsMfa $True

    Please note that there is also MSGraph alternative for SupportsMfa, but I don't know it from top of my mind

    Kind regards,

    Sebastijan

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

  • 0 in reply to   

    Thanks!

    I guess for MSGraph it must be the parameter federatedIdpMfaBehavior.

  • Suggested Answer

    0   in reply to 

    Yes. For attribute, you need to send attribute with name authnmethodsreferences with namespace http://schemas.microsoft.com/claims

    This can be an array of authentication methods that user has performed. Might be enough to send value http://schemas.microsoft.com/claims/multipleauthn, but I just prepare virtual attribute with a bit more to be sure MS is happy:

    Custom Javascript function that I use is following:

    function main(P1){
    	return returnAuthnmethodsreferences();
    }
    function returnAuthnmethodsreferences(){
    	var result = ["urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport", "http://schemas.microsoft.com/ws/2012/12/authmethod/phoneconfirmation", "http://schemas.microsoft.com/claims/multipleauthn"];
    	return result;
    }

    Mapping then looks like that:

    I hope this helps

    //s

    Kind regards,

    Sebastijan

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button