ADFS and Azure MFA Connector (Part 1)

Posted on by Cristian Vergara

Hello

This time I’ve decided to make two parts as both relate to the same solution.

SCENARIO

As you may noticed since ADFS under Windows Server 2016 it is possible to configure a connector and leverage Azure MFA for multifactor authentication on your ADFS applications.

You will find the step by step at the following site: Configure Azure MFA as authentication provider with AD FS

ISSUE

The issue happens if you have Alternate Login ID enabled on your ADFS environment.

This feature is enabled when the User Principal Name and E-mail addresses don’t match, you can still use the e-mail in order to authenticate with ADFS.

Personally I won’t recommend it, as it may introduce potential issues on the user experience.

There is a case when you have this feature enabled in ADFS and will cause your Azure MFA connector not to work as expected.

You may get the following error message when Azure MFA is being required:

The selected authentication method is not available for ‘user@domain.com’. Choose another authentication method or contact your system administrator for details

Working and Non-Working:

First af all, there is a working scenario. Let’s say you have the following case:

AD User Principal Name: john.doe@contoso.local

AD mail: jdoe@contoso.com

AAD username: jdoe@contoso.com

Alternate Login ID: mail

In this case, even if you have Alternate Login ID enabled, as the mail attribute in AD matches the AAD username. This will work

Non-working scenario:

AD User Principal Name: john.doe@contoso.com

AD mail: jdoe@contoso.com

AAD username: john.doe@mycompany.com

Alternate Login ID: mail

Users can authenticate to ADFS using the mail attribute, as the Azure MFA adapter will use the configured Alternate Login ID to send the request (mail attribute) and doesn’t match the AAD username. This scenario won’t work.

SOLUTION

You will have the following options:

  • Change the primary mail to match the UPN
  • Change the UPN to match the primary mail
  • Disable Alternate Login ID or
  • Setup and exception under ADFS for non-matching domains (detailed in part 2)

Related Post

Leave a Reply

Your email address will not be published.