How to exclude certain users from MFA in ADFS 3.0

-




Although we do not recommend exclude any users from 2FA, but some organizations have their justifications for excluding certain users from MFA. In ADFS 3.0 (Win Server 2012 R2) doesn't have GUI to apply such policy and you need to amend on claims rule by power-shell, but it's available in Win server 2016 and later as GUI.


Let assume that you applied MFA by adding group "domain users" in the edit authentication policy. You need to exclude specific users from MFA, create another security group then add required users, then apply the below custom rule :


1 :
 Get the SID of domain users "S-1-5-21domain-513" and EX_MFA group.

2 :
$MFAEX = 'exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "domain users' SID"]) && NOT exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "EX_MFA's SID"]) => issue (Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");'
 
$RelayParty = Get-AdfsRelyingPartyTrust -name "Relay Party Name in ADFS"
 
Set-AdfsRelyingPartyTrust –TargetRelyingParty RelayParty –AdditionalAuthenticationRules $MFAEX


After applying the new rule, you will not be able to amend on MFA setting of the relay party from GUI, and you have to return the old value of AdditionalAuthenticationRules.






Comments

Post a Comment

Popular posts from this blog

How to Configure Azure MFA with Exchange Server 2013 and ADFS 2012 R2

-
Image
How to Configure Azure MFA with Exchange Server 2013 and ADFS 2012 R2 How to Configure Azure MFA with Exchange Server Introduction : I was struggling to configure Azure MFA and Exchange without to use ADFS due to Exchange doesn't have Page to type text, the only phone call will work, eventually I decided to use ADFS due to this is only the way to have MFA (OTP) with Exchange. This is a quick guide to configure Azure MFA with Exchange & ADFS In this article I will demonstrate how you will apply MFA with Exchange server which has configured to use ADFS authentication, nowadays security of any organization is mandatory especially if they have applications have published externally. MFA comes to add the additional layer of security for these applications and will make organization a tad bit secure than the traditional static password. I believe Azure MFA has most of the capabilities of MFA that any organization might be looking for. If we will talk abou...
Read more