ADFS Associating Multiple MFA Providers to Active Directory Groups

We heavily utilise Active Directory Federation Services (ADFS) as our preferred SSO provider. We have been looking to switch from our existing MFA provider to Azure MFA. Upon configuring our test environment with multiple MFA providers I found that this requires users to select which MFA provider to use at login.

For us, this is far from ideal, we would prefer to manage this on behalf of the user. With a large and diverse user base it can be a significant challenge communicating changes, especially with big bang changes. We want to be able to pilot and deploy Azure MFA without affecting the community of users that have not yet been migrated.

The ideal solution would be to have the assignment of MFA provider to be associated to an AD group. There is no way of configuring this in the GUI and was not able to find any documentation on how to accomplish this, so I contacted Microsoft support.

Thankfully they came back with a solution, it’s a new feature for Windows Server 2019.

It requires that:

  • The ADFS environment is running Windows Server 2019 at a Farm Behavior Level of 4 (ADFS 5).
  • All relying trusts for claims rules are updated with the additional authentication rules as described below.
  • Access Control rules need to be removed from all RPTs in favour of additional authentication rules.

Step 1

Find the MFA provider names for from ADFS using the following Powershell command on the ADFS server:

Get-AdfsAuthenticationProvider | ft Name

Step 2

Create 2 groups in Active Directory for each MFA provider and find their group SIDs. Can achieved with the following Powershell on a domain controller, where MFA-Provider1 is replaced by the name of your group.

Get-ADGroup MFA-Provider1 | ft SID

In your production environment, you will want to make sure that all ADFS users are made a member of the group created for your current MFA provider.

Step 3

Create file for the MFA rules, for example “MFARules.txt”, and dependent on your MFA requirements add one of the following to the top of the text file:

  • For MFA to be challenged inside and outside the corporate network, then add the following:
=>issue(Type = "",
Value = "");
  • For MFA to be challenged outside the corporate network only, then add the following:
c:[type == "", value == "false"]
=>issue(Type = "",
Value = "");)

Step 4

Add the below to the text file, replacing the values in bold with the MFA provider name and group SID from steps 1 & 2 (keep the quotation marks).

c:[Type == "",
Value == "GROUP SID FOR FIRST MFA PROVIDER (from step 2)" ", Issuer == "AD AUTHORITY"]
=> issue(Type = "",
Value = "NAME OF FIRST MFA PROVIDER (from step 1)",
Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, ValueType = c.ValueType);

c:[Type == "",
Value == "GROUP SID FOR SECOND MFA PROVIDER (from step 2)" ", Issuer == "AD AUTHORITY"]
=> issue(Type = "",
Value = "NAME OF FIRST SECOND PROVIDER (from step 1)" ",
Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, ValueType = c.ValueType);

Step 5

If you have an access control policy for on a replying party trust, you will need to first disable this as it cannot be used in conjunction with additional authentication rules. Use the following Powershell:

Set-AdfsRelyingPartyTrust -TargetName "your RP name" -AccessControlPolicyName $null

And finally, assign policy to the relying party:

Set-AdfsRelyingPartyTrust -TargetName "your RP name" -AdditionalAuthenticationRulesFile MFARules.txt

Likely you will already have a complex set of additional authentication rules, so these need to be checked carefully before any changes are made and the steps above altered appropriately.

It is also worth using Microsoft’s claims X-Ray tool to validate your rules before applying them, see: Microsoft Claims XRay

Written on March 14, 2020
Show Comments