ADFS Associating Multiple MFA Providers to Active Directory Groups Groups

Where I work, we heavily use Active Directory Federation Servers (ADFS) as our preferred SSO provider. We have been looking to switch from our existing MFA provider to Azure MFA. Upon configuring our test environment with multiple MFA providers I found that this requires users to select which MFA provider to use at login.

For us, this is far from ideal, we would prefer to manage this on behalf of the user. With a large and diverse user base it can be a significant challenge communicating changes, especially with big bang changes. We want to be able to pilot and deploy Azure MFA without affecting the community of users that have not yet been migrated.

The ideal solution would be to have the assignment of MFA provider to be associated to an AD group. There is no way of configuring this in the GUI and was not able to find any documentation on how to accomplish this, so I contacted Microsoft support.

Thankfully they came back with a solution, it’s a a new feature in Windows Server 2019.

It requires that:

  • The ADFS environment is running Windows Server 2019 at a Farm Behaviour Level of 4 (ADFS 5).
  • All relying trusts for claims rules are updated with the additional authentication rules as described below.
  • Access Control rules need to be removed from all RPTs in favour of additional authentication rules.

Step 1

Find the MFA provider names for from ADFS using the following Powershell command on the ADFS server:

Step 2

Create 2 groups in Active Directory for each MFA provider and find their group SIDs. Can achieved with the following Powershell on a domain controller, where MFA-Provider1 is replaced by the name of your group.

In your production environment, you will want to make sure that all ADFS users are made a member of the group created for your current MFA provider.

Step 3

Create file for the MFA rules, for example “MFARules.txt”, and dependent on your MFA requirements add one of the following to the top of the text file:

A: For MFA to be challenged inside and outside the corporate network, then add the following:

=>issue(Type = “”,Value = “”);

B: For MFA to be challenged outside the corporate network only, then add the following:

c:[type == “”, value == “false”] =>issue(Type = “”, Value = “”);)

Step 4

Add the below to the text file, replacing the values in bold with the MFA provider name and group SID from steps 1 & 2 (keep the quotation marks).

c:[Type == “”, Value == “GROUP SID FOR FIRST MFA PROVIDER (from step 2)” “, Issuer == “AD AUTHORITY”] => issue(Type = “”, Value = “NAME OF FIRST MFA PROVIDER (from step 1)“, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, ValueType = c.ValueType); c:[Type == “”, Value == “GROUP SID FOR SECOND MFA PROVIDER (from step 2)” “, Issuer == “AD AUTHORITY”] => issue(Type = “”, Value = “NAME OF FIRST SECOND PROVIDER (from step 1)” “, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, ValueType = c.ValueType);

Step 5

If you have an access control policy for on a replying party trust, you will need to first disable this as it cannot be used in conjunction with additional authentication rules. Use the following Powershell:

And finally, assign policy to the relying party:

It is likely in a large production environment such as ours, you will already have a complex set of additional authentication rules, so these need to be checked carefully before any changes are made and the steps above altered appropriately.

It is also worth using Microsoft’s claims X-Ray tool to validate your rules before applying them, see: