Disabled users are not succeeding authentication via ADFS + Multi-Factor Server

Question

We are using the on-premise version of Azure Multifactor authentication. When I authenticate through ADFS it's forcing every user to use MFA even though I have disabled users to succeed authentication. It gives me an error that the authentication method is not available for users that are disabled. Currently I am only enforcing when the application is accessed externally. Am I missing something? I am expecting MFA to be bypassed for users I have disabled.

ADFS configuration ScreenShot

score 1 · Accepted Answer · answered Dec 31 '18 at 18:00

Here is what I did to accomplish this. You set the rules in powershell instead of using the gui. Replace Relying-Part-Trust and group-sid with yours

$rp = Get-AdfsRelyingPartyTrust –Name 'Relying-Party-Trust'
Set-AdfsRelyingPartyTrust –TargetRelyingParty $rp -additionalauthenticationrules 
'[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value 
== "group-sid"] && [Type == 
"http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"] 
=> issue(Type = 
"http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value 
= "http://schemas.microsoft.com/claims/multipleauthn");'

Your solution looks like exactly what i was saying :) – Hannel Jan 04 '19 at 22:38 — Hannel, Jan 04 '19 at 22:38

score 0 · Answer 2 · answered Dec 27 '18 at 08:08

0

You need to add additional cliams to differentiate internet vs extranet.

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-authentication-policies#to-configure-multi-factor-authentication-globally

answered Dec 27 '18 at 08:08

Hannel

651
4
9

What would I need to configure in that window of my screenshot if I followed the link you sent? They seem like they would conflict? – Brent Mattson Dec 27 '18 at 14:48
Not in that Window, sorry I have upgrade to 4.0 in all my test environment. But you need to make sure claims have `insidecorporatenetwork` and understand what is covered on `insidecorporatenetwork` network on your environment. Also Authorization rule needs to check for that claim. – Hannel Dec 27 '18 at 18:31
Sorry, I'm not following what I need to configure. Is the link you sent going to accomplish the same thing as the screenshot I sent? – Brent Mattson Dec 27 '18 at 19:01
You need to confirm claims are on RP, if claims are not all connection will seem like Extranet. I have also seen it not work because system does not identify connection as Intranet or Extranet. You can use the group option to confirm 'MFA Bypass' work before focusing on Intranet vs Extranet as that might include individual computer configuration. – Hannel Dec 27 '18 at 19:27

Disabled users are not succeeding authentication via ADFS + Multi-Factor Server

2 Answers2