locked
Federation Service Device Registration and MFA RRS feed

  • Question

  • Hi All

    I am trying to achieve MFA using the following rule

    Set-AdfsRelyingPartyTrust –TargetRelyingParty "Office365 Online Services" –AdditionalAuthenticationRules 'Exists([Type == “http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid”, Value == “GROUPSID”]) && NOT EXISTS([type==”http://schemas.microsoft.com/2012/01/devicecontext/claims/registrationid”]) => issue (type=”http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod”, value = “http://schemas.microsoft.com/claims/multipleauthn”);’

    As per this rule, ADFS should ask for user for MFA only if the user is part of group(SID) defined in the rule above and device is un-registered. But ADFS is asking user of the group defined in the rule for MFA even if user is trying to login ( e.g office 365 OWA) from registered device.

    If I remove the AD group condition in the rule above then users can login to office365 from registered device and it ask for MFA only if users is trying to login from un-registered device. but I want to apply the rule to only specific users.

    Any help would be great help..

    Thanks in advance.



    • Edited by iffarrukh Friday, April 8, 2016 5:50 AM
    Thursday, April 7, 2016 1:00 PM

All replies

  • I think it is happening as you are using "registrationid" which is different for different user/device pairs and then you have also not defined a value for it... Instead try using 'isregistereduser' true/false condition.
    Wednesday, April 5, 2017 4:26 PM