Office 365 MFA Requirements

Has anyone that is using NAM and AA for federated SSO to Office 365 been concerned about Microsoft's upcoming requirements to enforce MFA?

I cannot find anything very definitive on this.  Some things I read seem to indicate if you set SupportsMFA to true in your domain federation settings you are fine, others seem to indicate you need to include AuthNMethodsReferences as a claim with a value of MultipleAuthN.

Matt

Labels:

Access Manager
Parents Reply
  • 0   in reply to   

    So I tested this in my test/lab tenant.  I used the Graph API to set FederatedIdPMfaBehavior to "enforceMfaByFederatedIdP".  There are more options when you use the Graph API, it's not just true or false.

    I also added just the one attribute as a constant like this:

    <saml:Attribute xmlns:xs="">www.w3.org/.../XMLSchema"
    xmlns:xsi="">www.w3.org/.../XMLSchema-instance"
    Name="authnmethodsreferences"
    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
    >
    <saml:AttributeValue xsi:type="xs:string">schemas.microsoft.com/.../saml:AttributeValue>
    </saml:Attribute>

    I didn't even add the name space just to see what would happen.

    It all works, but how can I tell if it is satisfying Microsoft's requirements?

    Matt

Children
  • 0   in reply to   

    So this is not working for me.  I Enforced MFA on a test user.

    What I see when I try and login is a request like this:

    <samlp:AuthnRequest ID="_b94585e6-7ae6-4174-9bf2-94608ed2108d" Version="2.0" IssueInstant="2024-09-26T14:29:56.154Z" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" > <Issuerxmlns="urn:oasis:names:tc:SAML:2.0:assertion">urn:federation:MicrosoftOnline</Issuer> <samlp:NameIDPolicyFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" /> </samlp:AuthnRequest>

    Then NAM generated the Response, including my constant:

    <saml:Attribute xmlns:xs="">www.w3.org/.../XMLSchema" xmlns:xsi="">www.w3.org/.../XMLSchema-instance" Name="">schemas.microsoft.com/.../authnmethodsreferences"NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" > <saml:AttributeValuexsi:type="xs:string">schemas.microsoft.com/.../multipleauthn</saml:AttributeValue> </saml:Attribute>

    I added the name space, but I don't know why it is not including it.

    Then Microsoft sends this:

    <samlp:AuthnRequest ID="_781d6d53-067d-4b29-9901-efc758309789" Version="2.0" IssueInstant="2024-09-26T14:30:13.567Z" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" > <Issuerxmlns="urn:oasis:names:tc:SAML:2.0:assertion">urn:federation:MicrosoftOnline</Issuer> <samlp:NameIDPolicyFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" /> <samlp:RequestedAuthnContext><samlp:AuthnContextClassRefxmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion">schemas.microsoft.com/.../multipleauthn</samlp:AuthnContextClassRef></samlp:RequestedAuthnContext> </samlp:AuthnRequest>

    And that is where I fail:

    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"> <samlp:StatusCodeValue="urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext" /> </samlp:StatusCode>

    I'll try your virtual attribute solution from the other post.

    Matt