locked
conditional access policy override? RRS feed

  • Question

  • I have a requirement to require MFA on a certain ADFS group but have an exception the users exists in another group. For example:

    1. Permit all users by default.

    2. Require MFA for specific group domain\mandatory

    3. If user is in domain\mandatory but is also in a group called domain\exempt, do not require MFA.

    In other words, I want membership in the domain\exempt group to override the requirement for MFA. I've tried a few different configurations but MFA is never bypassed. Has anyone here attempted a similar configuration?

    Thursday, August 8, 2019 6:28 PM

Answers

  • Figured this one out. Instead dealing with the exceptions in the rule itself, we used group queries within AD itself along with nesting groups.
    • Marked as answer by DJpent Friday, August 9, 2019 4:52 PM
    Friday, August 9, 2019 4:52 PM

All replies

  • Figured this one out. Instead dealing with the exceptions in the rule itself, we used group queries within AD itself along with nesting groups.
    • Marked as answer by DJpent Friday, August 9, 2019 4:52 PM
    Friday, August 9, 2019 4:52 PM
  • Too late, but yes, you could have use custom claim rules for this.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, August 9, 2019 7:59 PM