Federated users in Microsoft Entra ID may have to sign in two times before being prompted for MFA
This article discusses an issue in which federated users in Microsoft Entra ID must sign in two times before they can run MFA.
Original product version: Microsoft Entra ID
Original KB number: 4037806
Symptoms
Consider the following scenario:
- You have a Microsoft Entra tenant in which users are federated through Active Directory Federated Services (AD FS).
- In this tenant, Azure MFA Server or a third-party MFA provider is deployed in AD FS.
In this scenario, users may be forced to sign in by providing their user name and password two times before they are prompted for multi-factor authentication (MFA) and can complete the logon.
Cause
If the MsolDomainFederationSettings -SupportsMFA value is set to $true and the -PromptLoginBehavior value is set to TranslateToFreshPasswordAuth, Microsoft Entra ID sends the MFA request to the Identity Provider for step-up authentication. Microsoft Entra ID also asks for a fresh user login. This is accomplished by sending the following parameters to AD FS:
wauth=http://schemas.microsoft.com/claims/multipleauthn
wfresh=0
When this occurs, user is prompted a second time for their user name and password regardless of whether they just logged in. Users are prompted for MFA only after they enter their credentials a second time.
Resolution
To resolve this issue, you must configure Microsoft Entra ID to let AD FS natively handle this request by changing the -PromptLoginBehavior setting to NativeSupport. To do this, follow these steps:
Important
Your AD FS deployment must be running on Windows Server 2016 or Windows Server 2012 R2, and must have the July 2016 update KB 3172614 installed.
Note
Azure AD and MSOnline PowerShell modules are deprecated as of March 30, 2024. To learn more, read the deprecation update. After this date, support for these modules are limited to migration assistance to Microsoft Graph PowerShell SDK and security fixes. The deprecated modules will continue to function through March, 30 2025.
We recommend migrating to Microsoft Graph PowerShell to interact with Microsoft Entra ID (formerly Azure AD). For common migration questions, refer to the Migration FAQ. Note: Versions 1.0.x of MSOnline may experience disruption after June 30, 2024.
Run the following
Connectcommand to sign in to your Microsoft Entra ID administrator account:Connect-MsolserviceNote
Run this command every time that you start a new session.
Configure Microsoft Entra ID to run federated user authentication by using the prompt=login behavior. This prevents the user from having to begin a new authentication. For example, run a command such as the following that includes your tenant-specific information:
Set-MsolDomainFederationSettings -DomainNameyour_domain_name-PreferredAuthenticationProtocol <current auth setting such as WsFed> -SupportsMfa $True -PromptLoginBehavior NativeSupport
Contact us for help
If you have questions or need help, create a support request, or ask Azure community support. You can also submit product feedback to Azure feedback community.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for