In IAM Trust Policy we can use the MultiFactorAuthPresent condition to enforce MFA to be enabled. However, does that condition work with an external Identity Provider? e.g. If I'm authenticated using Azure AD or Google Workspace, the authentication is done at the external Identity provider, does the MFA info gets passed to IAM?
How about AWS SSO with an external provider? Is it the same?
When authentication is done by External IdP (i.e. Azure AD), MFA is performed as part of the authentication flow before SAMLResponse is returned to AWS Signin page. For Azure AD IdP, you can use Conditional Access policy to enforce MFA for the application.
I haven't tested but I would think you can pass an additional attribute (outside of the role trust arn, role arn attribute. Then you can read the value at the IAM trust policy level. You can get more info at Passing session tags in AWS STS.
