Office 365 MFA Requirements

Has anyone that is using NAM and AA for federated SSO to Office 365 been concerned about Microsoft's upcoming requirements to enforce MFA?

I cannot find anything very definitive on this.  Some things I read seem to indicate if you set SupportsMFA to true in your domain federation settings you are fine, others seem to indicate you need to include AuthNMethodsReferences as a claim with a value of MultipleAuthN.

Matt

Labels:

Access Manager
  • Verified Answer

    +1   in reply to 

    Sorry, I never got back to replying to this.  I got it figured out with support's help.

    I had to create a new contract and have this for the Allowable Class:

    http://schemas.microsoft.com/claims/multipleauthn

    I also had to set this option to "true" in the SP configuration:

    SAML2 AVOID AUTHNCONTEXT DECLARATION REFERENCE

    Once I did that, it worked.  I did not end up using Sebastijan's virtual attribute, I just used a Constant to add the authnmethodsreferences to the attribute statement:

    I've tested this with two different tenants now and it works.  Microsoft trusts that the federated IdP is enforcing MFA.

    Matt