Hello
This time I’ve decided to make two parts as both relate to the same solution.
SCENARIO
As you may noticed since ADFS under Windows Server 2016 it is possible to configure a connector and leverage Azure MFA for multifactor authentication on your ADFS applications.
You will find the step by step at the following site: Configure Azure MFA as authentication provider with AD FS
ISSUE
The issue happens if you have Alternate Login ID enabled on your ADFS environment.
This feature is enabled when the User Principal Name and E-mail addresses don’t match, you can still use the e-mail in order to authenticate with ADFS.
Personally I won’t recommend it, as it may introduce potential issues on the user experience.
There is a case when you have this feature enabled in ADFS and will cause your Azure MFA connector not to work as expected.
You may get the following error message when Azure MFA is being required:
The selected authentication method is not available for ‘user@domain.com’. Choose another authentication method or contact your system administrator for details
Working and Non-Working:
First af all, there is a working scenario. Let’s say you have the following case:
AD User Principal Name: john.doe@contoso.local
AD mail: jdoe@contoso.com
AAD username: jdoe@contoso.com
Alternate Login ID: mail
In this case, even if you have Alternate Login ID enabled, as the mail attribute in AD matches the AAD username. This will work
Non-working scenario:
AD User Principal Name: john.doe@contoso.com
AD mail: jdoe@contoso.com
AAD username: john.doe@mycompany.com
Alternate Login ID: mail
Users can authenticate to ADFS using the mail attribute, as the Azure MFA adapter will use the configured Alternate Login ID to send the request (mail attribute) and doesn’t match the AAD username. This scenario won’t work.
SOLUTION
You will have the following options:
- Change the primary mail to match the UPN
- Change the UPN to match the primary mail
- Disable Alternate Login ID or
- Setup and exception under ADFS for non-matching domains (detailed in part 2)