Microsoft Azure MFA

Configure Active Directory Federation Services to request Multi-Factor Authentication only from external users

When you enable Azure MFA on a tenant, you get the option to configure IP whitelisting. Another nice feature that you have is to require MFA only when the users do not originate from the intranet. In a multisite environment, with offices located all over the world, or if you do not have a persistent IP from your internet service provider, this is like gold!

If you want this to work, you have to do some configuration on your Active Directory Federation Service (ADFS). Along with the normal claims, you also have to send another one.

http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork

Alongside with enabling this, I’ll also configuring the service so the users can check the Keep me signed in box.

Configuration time

Sign into your ADFS server, and open the ADFS Management Console. If you then browse into Trust Relationships -> Relying Party Trusts. There you find Microsoft Office 365 Identify Platform.

Microsoft Office 365 Identity Platform

Right click and, select Edit Claims Roules…

You are now watching the default claims rules that’s configured for Office 365. We will add two rules here. One for the Inside Corporate Network feature and one for the Keep me signed in feature.

Before addig aditional claims

First the Inside Corporate Network setting. Click Add Rule… and from the dropdown menu select Pass Through or Filter an Incoming Claim.

New Pass trough claim

Then give the rule a good name, and set the Incoming claim type to Inside Corporate Network. That is it.

InsideCorporateNetwork Claim

The next one is for the Keep me signed in. Add a new rule, and from the dropdown menu select Send Claims Using a Custom Rule.

Custom Rule

On the next page, give the rule a good name, and add this custom rule

c:[Type == "http://schemas.microsoft.com/2014/03/psso"]
 => issue(claim = c);

psso claim

That is all. Your MFA enabled users no longer gets a request to verify their authentication when they originate from the intranet.

Final result

Advertisements

My slides from the What’s hot session in Stavanger April 3, 2014

Thank you to all who attended at What’s hot seminar in Stanvanger yesterday and the session about Windows Azure from me and Anders Borchsenius from Microsoft.

I have made my slides, and the notes, available at my OneDrive for you to download if you like. http://1drv.ms/Pq6bMV

The slides is in Norwegian, but basically they show how to activate MFA on a Windows Azure Active Directory tenant, and a quick demo on how to activate MFA on a user.

Since the links at the last page isn’t clickable, I also post them below