locked
ADFS 4.0 with Azure AD MFA. Claims not received in alternate browsers. RRS feed

  • Question

  • Sorry if I am missing some basic understanding about this. We are trying to implement multi-factor authentication.

    We have a hybrid on-premise/Azure AD configuration with AD Connect and ADFS, with working SSO.

    The goal is to use either Azure MFA or ADFS conditional access policies to restrict MFA requirements to "unrecognized" devices. "Unrecognized" meaning a device that is not joined to our domain nor registered with Azure AD (like a mobile device with Intune).

    I've been doing all my testing by setting up a test relying party trust with the Microsoft Claims Xray.

    The problem is that I'm expecting to see multiple claims appear from users when they sign-in from registered / Domain joined devices that indicate that device does not need to do MFA. I do see those claims if I use Internet Explorer, but I do not see those claims if I use Chrome or Firefox. Yet, I do see those claims if I use safari on an ipad that is Azure AD registered with Intune. So, I'm having a hard time believing this is simply a browser issue.

    Here is an example of the extra claims and differences I get when using Internet Explorer rather than Chrome on a Windows 10 domain joined and Azure AD workplace joined device:

    Internet Explorer

    authnmethodsproviders

    WindowsAuthentication

    authnmethodsreferences

    http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/kerberos

    insidecorporatenetwork

    true

    iscompliant

    false

    isknown

    true

    ismanaged

    true

    isregistereduser

    true

    psso

    true

    trusttype

    Workplace

    Google Chrome:

    authnmethodsproviders

    WindowsAuthentication

    AzureMfaAuthentication 

    authnmethodsreferences

    http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows

    http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/kerberos

    http://schemas.microsoft.com/ws/2012/12/authmethod/phoneappnotification

    http://schemas.microsoft.com/claims/multipleauthn 

    insidecorporatenetwork

    true 

    In the latter case, I was forced to use MFA even though I am using the ADFS Access Control policy template called: "Permit everyone and require MFA from unauthenticated devices."

    What am I missing here? Am I really going to have to require MFA for anybody utilizing an alternate browser on Windows?

                                            

    Friday, January 19, 2018 4:54 PM

Answers

All replies

  • Tuesday, February 6, 2018 8:58 PM
  • I've been trying to setup the same thing.  I cannot believe how little official Microsoft documentation there is for this! I'm dumbfounded that they don't mention browser compatibility for device context claims.  It almost defeats the point of device authentication when you're reliant on specific browsers (IE/Edge) that aren't available on all devices (Mac).
    Friday, June 29, 2018 7:54 PM
  • I've been trying to setup the same thing.  I cannot believe how little official Microsoft documentation there is for this! I'm dumbfounded that they don't mention browser compatibility for device context claims.  It almost defeats the point of device authentication when you're reliant on specific browsers (IE/Edge) that aren't available on all devices (Mac).

    The best solution is to use Azure AD instead of ADFS.
    Many application are compatible with Azure AD and even have built-in configuration manual

    Saturday, June 30, 2018 6:01 PM