Hi mates. Today we’re going to explain how to do a phased migration between additional authentication providers using AD FS authentication policy based on active directory security groups.
In the scenario below, I will consider migration from MFA server to Azure MFA, but this plan can be applied to any additional authentication method configured on AD FS.
Note: This article considers that you have correctly configured both additional authentication providers and users are able to use them as a second factor of authentication.
Scenario:
Additional MFA providers:
– Azure MFA (AzureMfaAuthentication)
– MFA Server (AzureMfaServerAuthentication)
Policy goals:
– Users belonging to security group ‘Azure-MFA-Users’ SHOULD be prompted by Azure MFA
– Users not belonging to group ‘Azure-MFA-Users’ SHOULD be prompted by MFA Server
Retrieving the security group’s SID
On a domain controller, run this PowerShell command to get the SID of group ‘Azure-MFA-Users’:
Get-ADGroup -Identity 'Azure-MFA-Users'
Retrieving the additional authentication providers available on AD FS
To configure the additional rule, we need to get the additional authentication providers which are available on AD FS. To do so, run the command below on PowerShell:
Get-AdfsAuthenticationProvider | where{$_.AllowedForAdditionalAuthentication -eq $true} | fl name

With the Security group’s SID and additional authentication methods collected, let’s configure and enable the rule.
Configuring the additional rule for the MFA provider’s phased migration
Let’s start cleaning the current Access Control Policy setup for Relying Party Office 365. This setting can be configured for any Relying Party configured on AD FS.
Clear ACP for Office 365 running PowerShell Commands below on primary AD FS server:
Set-AdfsRelyingPartyTrust -TargetName 'Microsoft Office 365 Identity Platform Worldwide' -AccessControlPolicyName:$null
On AD FS server, run PowerShell commands below to add the policy for the Office’s RPT:
$mfarule = 'exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "S-1-5-21-1395181644-XXXXXXXX-229275251-277101"]) => issue(Type = "http://schemas.microsoft.com/claims/authnmethodsproviders", Value = "AzureMfaAuthentication");NOT exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "S-1-5-21-1395181644-XXXXXXXX-229275251-277101"]) => issue(Type = "http://schemas.microsoft.com/claims/authnmethodsproviders", Value = "AzureMfaServerAuthentication"); =>issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");'
Set-AdfsRelyingPartyTrust -TargetName "Microsoft Office 365 Identity Platform Worldwide" -AdditionalAuthenticationRules $mfarule
Note: Update the commands above considering your scenario (Group SIDs, Relying Party Trust name, etc).

Testing the policy
To differentiate the authentication method, I’ve configured the MFA server to use SMS code as a verification method and Azure MFA to use Authenticator App for user ‘Ent-teste’.
Test user NOT belonging to security group ‘Azure-MFA-Users’
To test the policy, let’s access portal.azure.com with account ‘Ent-teste’.

I am redirected to the AD FS based on the verified domain provided above.
Once I provide the username and password, I am prompted for an additional authentication method by sending a code via SMS. Let’s click on Continue.

Once I provide the received SMS code, the authentication is successful.

Test user belonging to security group ‘Azure-MFA-Users’
After adding user ‘Ent-teste’ to group ‘Azure-MFA-Users’, I will access the same application portal.azure.com. We expect to receive MFA prompt for Authenticator App as it’s defined as the default method for this user.

With user added to security group configured for Azure MFA, we receive the Authenticator App’s prompt for code as below:

Summary
In this article, we covered how to do a phased migration between additional authentication providers using AD FS authentication policy based on Active Directory security groups.
I hope you have enjoyed reading this article and it helps you manage your AD FS environment.
Enjoyed the article? Like and share. 🙂
Note: I do not represent the organization I work for, all the opinions expressed here, are my own. This post is provided AS IS with no warranties or guarantees and confers no rights.
In case you have any suggestions or feedback, please leave a comment.
[ ]’s
Ulysses Neves
Hi Ulysses,
Great article! I’m trying to implement this in an environment using your instructions, but I have a requirement to only prompt for MFA when outside the corporate network. I’m struggling with the syntax for this and was hoping you could help me out.
Thanks,
DS
Hello DS. Thanks for the feedback on this. To add the ability to request MFA only when users come from extranet, you can use http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork = false parameter. You can add the rule with parameters below:
c:[type == “http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork”, value == “false”] =>issue(Type = “http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod”, Value = “http://schemas.microsoft.com/claims/multipleauthn”);
Fantastic writeup! I’m actually going through this right now, but with different authentication providers. I’m having trouble combining the ability to force MFA only when users come from the extranet. I’m using the below, but its still not working on the internet to force mfa.
#Append any new rules to the variable
$new = $old + ‘c:[type == “http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork”, value == “false”] => issue(type = “http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod”, value = “http://schemas.microsoft.com/claims/multipleauthn” );’
#Prepare the new set of rules
$newset = New-AdfsClaimRuleSet -ClaimRule $new
#And finally, set the new rules
Set-AdfsRelyingPartyTrust -TargetName “dev archibus” -AdditionalAuthenticationRules $newset.ClaimRulesString
Finally my output shown below:
AdditionalAuthenticationRules : exists([Type == “http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid”, Value =~
“S-1-5-21-2121103884-806620016-247139262-135781”])
=> issue(Type = “http://schemas.microsoft.com/claims/authnmethodsproviders”, Value =
“SecurIDv2Authentication”);
NOT exists([Type == “http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid”, Value
=~ “S-1-5-21-2121103884-806620016-247139262-135781”])
=> issue(Type = “http://schemas.microsoft.com/claims/authnmethodsproviders”, Value =
“CertificateAuthentication”);
=> issue(Type =
“http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod”, Value =
“http://schemas.microsoft.com/claims/multipleauthn”);
c:[Type == “http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork”, Value == “false”]
=> issue(Type =
“http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod”, Value =
“http://schemas.microsoft.com/claims/multipleauthn”);
Any help is appreciated.
Hello Ronald. Thanks for the feedback on this. The code below helps you work with both internal, external conditions with different MFA providers per group SID:
$mfarule = ‘
exists([type==”http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork”, value ==”true”])
=>add(Type = “http://MFABypass”, Value= “internal”);
exists([type==”http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid”, value =~”S-1-5-21-1395181644-3973653225-229275251-265101″])
=>add(Type = “http://MFABypass”, Value= “whitelistgroup”);
not exists([Type==”http://MFABypass”, Value=~”(internal|whitelistgroup)”])
=>issue(Type = “http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod”, Value = “http://schemas.microsoft.com/claims/multipleauthn”);
exists([Type == “http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid”, Value =~ “S-1-5-21-1395181644-3973653225-229275251-XXXXXX”])
=> issue(Type = “http://schemas.microsoft.com/claims/authnmethodsproviders”, Value = “SMS PASSCODE”);
exists([Type == “http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid”, Value =~ “S-1-5-21-1395181644-3973653225-229275251-XXXXXX”])
=> issue(Type = “http://schemas.microsoft.com/claims/authnmethodsproviders”, Value = “AzureMfaAuthentication”);
‘
So no matter what Additional Authentication Rule I enter, it does not get used. What Issuance Authentication Rules do you have? Are there any other configurations needed for ADFS to consider the Additional Authentication (I have 2019 FBL 4)
Hello Ahmad. Thanks for bringing that up. In the specific command mentioned in the article ‘Set-AdfsRelyingPartyTrust -TargetName “Microsoft Office 365 Identity Platform Worldwide” -AdditionalAuthenticationRules $mfarule’ we bind the variable $mfarule content to the RPT “Microsoft Office 365 Identity Platform Worldwide”. Additional auth rules can only be applicable using PS and more information can be found in this article: https://docs.microsoft.com/en-us/powershell/module/adfs/set-adfsrelyingpartytrust?view=windowsserver2022-ps
Question for you: Do you receive any error message after applying the additional rule or the rule is not applying as expected?