locked
ADFS Password Spray Flow MFA RRS feed

  • Question

  • If a user fails username and password they dont even get to the MFA stage.

    Is it possible to alter this so that they have to try MFA also, and then receive a message that either the username, password or OTP code are incorrect?

    Monday, February 3, 2020 11:45 AM

All replies

  • You can start by "MFA" (I put quote because it is arguable to call it MFA at this stage). For example, use Azure MFA as a first factor for authentication. 

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, February 3, 2020 5:05 PM
  • Is there a way to do this without Azure?
    Monday, February 3, 2020 9:13 PM
  • Yes. You could do Windows Hello for Business as a primary factor too.

    But anyways, I'd recommend you have a look at this guidance: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/ad-fs-password-protection 


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, February 5, 2020 12:51 AM