Configuring authentication policies for AD FS

Updated: June 21, 2013

Applies To: Windows Server 2012 R2

You can configure multifactor authentication after you install AD FS. Configuring multifactor authentication allows you to specify a primary authentication method to validate a user’s identity and additional authentication methods for more stringent access requirements. For example, you can specify Windows Integrated Authentication for primary authentication in order to access resources that have lower business impact and require additional authentication methods in order to access resources that have higher business impact, or for other types of access.

The default settings and available options for primary authentication vary depending on whether the resource is located on an extranet or an intranet:

  • Extranet resources require forms-based authentication by default. You can optionally enable users to choose between using forms-based authentication or certificate-based authentication.

  • Intranet resources require Integrated Windows Authentication by default. You can optionally enable users to choose between using Integrated Windows Authentication, forms-based authentication, or certificate-based authentication.

The additional authentication methods can be based on factors such as the user account and device that is used to access the resource, and the location where the access request is made (for example, intranet versus extranet). There is also support for custom authentication providers and for setting policies that either require a certain authentication method or allow a user to choose from a set of authentication options. By default, you can select certificate authentication as an additional authentication method for accessing any resource.


If certificate authentication is also chosen for primary authentication, then AD FS may not prompt the user for the additional authentication because the user already authenticated by using the certificate authentication method.

You can configure different scopes for authentication policies. A global authentication policy applies to all applications and services that are secured by AD FS. Global authentication policy settings specify which primary authentication method is used, methods for multifactor authentication, and device authentication. You can also configure an authentication policy for a specific relying party trust. Relying party trust authentication policy settings specify whether users are required to supply credentials each time they sign on and other multifactor authentication requirements. If either a global or per relying party trust authentication policy requires MFA, MFA will be triggered when the user tries to authenticate to this relying party trust.

For more information about multifactor authentication, see Solution Guide: Manage Risk with MFA for Sensitive Applications. For step-by-step instructions about how to set up and verify multifactor authentication, see Walkthrough: Manage Risk with MFA for Sensitive Applications.