none
ADFS requirements for supporting Microsoft Authenticator App RRS feed

  • Question

  • I implemented On-Premises ADFS MFA (Certificate authentication) to strength our accessing to O365 (federated domain) from Extranet. But after enabling ADFS MFA, Outlook for iOS users told me that they cannot connect to ExO. I looked into the issue and figured out that in order to use Outlook for iOS while ADFS MFA enabled, users have to install Microsoft Authenticator too. After setting up Microsoft Authenticator, users can access to their ExO mailbox again with Outlook for iOS.

    But here's the problem. Users can initially setup their Microsoft Authenticator in aka.ms/MFAsetup site. But when they want to change their information they've registered, for example, phone number, they cannot sign in to Microsoft Authenticator any more unless administrator do [<label for="RequireProofupAgainCheckbox">Require selected users to provide contact methods again] in O365 user </label>Multi-factor authentication management page (https://account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.aspx).

    So I checked ADFS server's event logs and found an error message [No strong authentication method found for the request from urn:federation:MicrosoftOnline.] every time users tried to access to aka.ms/MFASetup. After a little research on this message, I found https://social.msdn.microsoft.com/Forums/sqlserver/en-US/35e1cf64-a7ee-4b6f-8e3b-7ae8f9931632/adfs-azure-mfa-inconsitant-error?forum=windowsazureactiveauthentication. I think it told me to install Azure MFA server on my ADFS.

    I would like to know

    1. Is Azure MFA server implemented a mandatory requirement for using Microsoft Authenticator?

    2. Is there any other workaround on this issue instead of install Azure MFA server?

    Friday, March 16, 2018 1:49 AM

Answers

  • Hi, 

    Microsoft Authenticator is used on iOS for certificate-based authentication flows because it houses the broker that issues tokens back and forth between apps using ADAL. 

    On Android, you can either use Company Portal OR Authenticator, either can act as the broker. 

    There is no need to set up an MFA account within the app. On iOS, we would recommend that you install Authenticator app prior to setting up your Outlook account in the Outlook app, as it's a little more seamless for the user. 

    This page may be helpful: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-certificate-based-authentication-ios#requirements 

    • Marked as answer by B.S.Wang Wednesday, April 25, 2018 5:58 AM
    Wednesday, April 4, 2018 7:37 PM

All replies

  • Hi, 

    Microsoft Authenticator is used on iOS for certificate-based authentication flows because it houses the broker that issues tokens back and forth between apps using ADAL. 

    On Android, you can either use Company Portal OR Authenticator, either can act as the broker. 

    There is no need to set up an MFA account within the app. On iOS, we would recommend that you install Authenticator app prior to setting up your Outlook account in the Outlook app, as it's a little more seamless for the user. 

    This page may be helpful: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-certificate-based-authentication-ios#requirements 

    • Marked as answer by B.S.Wang Wednesday, April 25, 2018 5:58 AM
    Wednesday, April 4, 2018 7:37 PM
  • Hi Libby, thanks for the reply.

    As you mentioned, there is no need to set up an MFA account within the app now. When I posted this question, it still needed to setup account.

    Besides that, when I posted it, SfB for iOS still CAN connect to SfBO without MFA installed, recently I also noticed that it becomes mandatory that MFA has to be installed on my iOS device to use SfB for iOS. SfB for iOS itself no longer support sign in with MFA any more.

    So I believe that authentication method must have been changed these days...

    Friday, April 6, 2018 1:01 AM