locked
Option with MFA RRS feed

  • Question

  • Here what I understand:

    There a 2 MFA Option with Office 365: MFA in clound(via Office 365 or Azure, and  a MFA Server.

    https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-whichversion

    Is there a way to force a groupe of user( or case user with itune device) to use Microsft Authenticator as second factor and force another groupe of user to use Voici/SMS as second factor?

    Thank you

    Sebastien

    Friday, May 17, 2019 2:17 PM

All replies

  • Hi Bistro,

    You cannot force specific users or groups to use specific methods. Well you can disable some methods, or leave say text message as the only enabled method, but this will apply to all users, as it's a tenant-wide setting. https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings

    Users can also select a particular default, of course. 

    Feel free to make a feature request for this in User Voice. https://feedback.azure.com/forums/169401-azure-active-directory/category/160602-multi-factor-authentication
    Friday, May 17, 2019 9:46 PM
    Owner
  • Please remember to mark as answer if this answered your question.
    Friday, May 17, 2019 9:46 PM
    Owner
  • Here what I understand:

    There a 2 MFA Option with Office 365: MFA in clound(via Office 365 or Azure, and  a MFA Server.

    https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-whichversion

    Is there a way to force a groupe of user( or case user with itune device) to use Microsft Authenticator as second factor and force another groupe of user to use Voici/SMS as second factor?

    Thank you

    Sebastien

                 

    Yes, but I would advice against it.

    When you deploy Azure MFA Server on-premises, you can configure this option using MFA Server's tags. More granularly, you can configure this on a per-user basis. Another group of users, optionally divided by tags in MFA Server, can then be configured to only use text message as the only option to enroll. However:

    • For the Microsoft Authenticator app, both the OATH TOTP and Mobile App methods need to be enabled. In your case, this might offer too much choice to the end-user.
    • When allowing end-users to only enroll one method, you do not follow Microsoft's recommended practice to enroll two MFA methods, independently of one device or location.
    • Through MFA Server, you can only control the methods that are available, not the one that is used or required.

                 

    When you use Active Directory Federation Services (AD FS) in combination with Office 365, you can specify the authentication method to use on the 'Office 365 Identity Platform' relying party trust. However:

    • When an end-user performs the wrong method, the person is prompted for MFA again, without warning until the right method is performed.
    • When forcing one method, there is no fallback method.
    Monday, May 20, 2019 11:53 AM