question

Amsirahc-7658 avatar image
0 Votes"
Amsirahc-7658 asked Amsirahc-7658 commented

ADFS with Azure MFA and multiple Azure tenants

We're wanting to use Azure MFA as a second step authentication method with our 2016 ADFS environment. We have two separate Azure AD/Office 365 tenants, and several other relying party trusts in a single ADFS farm that we wish to use it with. Azure MFA is currently setup and working for Tenant A users with a custom theme that redirects if the user hasn't gone through the "ProofUp" process (based on Microsoft's documentation). It is also setup on the other RPTs to require MFA if the user is a member of a specific on-prem AD group. Tenant B users aren't currently licensed for Azure AD Premium, so we have not been able to do any testing yet.

  1. If we get the licensing worked out for Tenant B to have Azure AD Premium 1, will we be able to configure ADFS and Azure MFA to support both tenants?

  2. How would we customize the onload.js theme to capture the authArea errorMessage and forward to the appropriate Azure tenant based on the user's domain (since the instructions require the use of a domain name for the mfaRegisterUrl)?

Any feedback or recommendations would be very much appreciated.

adfsazure-ad-multi-factor-authentication
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

KAREDD-MSFT avatar image
0 Votes"
KAREDD-MSFT answered Amsirahc-7658 commented

In 2016 ADFS, you would have registered the ADFS to talk to a specific tenant to do the MFA. In your scenario, this is ADFS is already registered with Tenant A. So, you users in tenant B will not be able to leverage MFA through ADFS.

If you are planning to have Azure AD premium licenses, I would recommend using CA policies and perform the MFA in Azure directly.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Correct, ADFS was configured that way. Is there no way to configure ADFS for multiple tenants? Also, we are using Azure MFA for the non-Azure RPTs in our ADFS environment as well, so would we lose that for them if we did MFA in Azure directly using CA policies?

0 Votes 0 ·

Just in case, ADFS is no longer required to achieve Single Sign-On with Azure AD workloads (such as Office 365 applications). You can use PTA/PHS with Azure AD Connect seamless Single-Sign On. In case you are using ADFS just for SSO, I thought I would bring it up :)


0 Votes 0 ·

Doesn't the seamless SSO only work for corporate devices on the corporate network? Most of our users need to access their services remotely. ADFS is also being used as a SAML identity provider for other non-azure services, but we wanted to leverage our current Azure subscriptions for MFA for them as well (otherwise we will have to look at other solutions like Duo, Okta, etc. which are way outside of our current budget). It works for Tenant A, but we're looking for a way for it to work for Tenant B as well. If it only works with one tenant, is there a workflow to merge Tenant B into Tenant A?

0 Votes 0 ·