AZURE federated SSO MFA Behavior acceptIfMfaDoneByFederatedIdp not bypassing azure default MFA

Question

I am trying to enable SSO from onpremis IDP to AZURE portal. SSO to azure portal is successfull. But i am unable to bypass the MFA option asked by azure.

Steps i performed:

1. Created a domain federation configuration with federatedIdpMfaBehavior set to acceptIfMfaDoneByFederatedIdp ref
2. Added authentication method claims attribute in the saml response.

<AttributeStatement>
    <Attribute Name="IDPEmail">
        <AttributeValue>user_email</AttributeValue>
    </Attribute>
    <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <AttributeValue>http://schemas.microsoft.com/claims/multipleauthn</AttributeValue>
    </Attribute>
</AttributeStatement>

But still AZURE asks for MFA on successfull authentication of SAML response.

Answer 1

I have exactly same situation as above. After setting options to "acceptIfMfaDoneByFederatedIdp", google 2SV successful but azure keeps asking for its own MFA.

so it seems like azure does not know whether or not the login session went through google 2-step verification successfully

Answer 2

Are you using modern auth into your Microsoft 365/Entra ID?

Also, do you have 2SV implemented into your Google accounts? I found this:

"Microsoft Entra ID accepts MFA that's performed by the federated identity provider. If the federated identity provider didn't perform MFA, Microsoft Entra ID performs the MFA"

https://learn.microsoft.com/en-us/graph/api/internaldomainfederation-update?view=graph-rest-1.0&tabs=http#federatedidpmfabehavior-values

So it may ask for MFA if you does not have similar auth on the other side (just a guess)