Server-initiated MFA with Azure AD

2
votes

How can one explicitly trigger an a MFA prompt e.g. from a web service for Azure Active Directory or ADFS users?

An example scenario could be that after a user authenticates and starts a session with the web app, certain actions would be gated by a MFA verification.

I see there are workarounds that could establish similar behavior by using MFA for login and then having the software prompt for login, but SSO would prevent these prompts from always reaching the user:

The intent here is to trigger a MFA verification that is separate from auth.

1
azure-active-directory

1 Answers

0
votes

The actions that require gating would need to be a resource that requires MFA. If the resource requires MFA and the user did not sign in with MFA, they will be prompted. This article appears to cover this use case:

Quickstart: Require MFA for specific apps with Azure Active Directory conditional access

To simplify the sign-in experience of your users, you might want to allow them to sign in to your cloud apps using a user name and a password. However, many environments have at least a few apps for which it is advisable to require a stronger form of account verification, such as multi-factor authentication (MFA). This might be, for example true, for access to your organization's email system or your HR apps. In Azure Active Directory (Azure AD), you can accomplish this goal with a conditional access policy.