Office 365 MFA Requirements

Has anyone that is using NAM and AA for federated SSO to Office 365 been concerned about Microsoft's upcoming requirements to enforce MFA?

I cannot find anything very definitive on this.  Some things I read seem to indicate if you set SupportsMFA to true in your domain federation settings you are fine, others seem to indicate you need to include AuthNMethodsReferences as a claim with a value of MultipleAuthN.

Matt

Labels:

Access Manager
Parents Reply Children
  • 0   in reply to   

    So I tested this in my test/lab tenant.  I used the Graph API to set FederatedIdPMfaBehavior to "enforceMfaByFederatedIdP".  There are more options when you use the Graph API, it's not just true or false.

    I also added just the one attribute as a constant like this:

    <saml:Attribute xmlns:xs="">www.w3.org/.../XMLSchema"
    xmlns:xsi="">www.w3.org/.../XMLSchema-instance"
    Name="authnmethodsreferences"
    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
    >
    <saml:AttributeValue xsi:type="xs:string">schemas.microsoft.com/.../saml:AttributeValue>
    </saml:Attribute>

    I didn't even add the name space just to see what would happen.

    It all works, but how can I tell if it is satisfying Microsoft's requirements?

    Matt