联邦域名的MFA! [英] MFA for federated domain!
问题描述
Hello Experts,
我有一个客户通过Okta联合他的域名来访问O365。 Okta正在为所有用户执行MFA,Azure中的用户状态表示MFA已禁用。他们正在观察风险警报,其中说明未启用用户的MFA,如果我们在Azure中启用MFA
我们是否会获得双倍MFA?或者有没有办法启用MFA但不能获得MFA两次?请建议!
谢谢,
热情的问候,
CreedHameed
CreedHameed
Hello CreedHameed,
如果您在Azure中启用MFA,系统会提示用户两次使用MFA。
为了确保仅提示一次MFA,OKTA应向Azure AD提交声明OKTA执行了MFA。
声明应如下所示:
< saml:Attribute AttributeNamespace = " HTTP://schemas.microsoft.com/claims"的AttributeName = QUOT; authnmethodsreferences">< SAML:的AttributeValue>瓮:绿洲:名称:TC:SAML:2.0:AC:类:PasswordProtectedTransport< / SAML:的AttributeValue>
< saml:AttributeValue> http://schemas.microsoft.com/ws/2012/12/authmethod/phoneconfirmation< / saml:AttributeValue> < SAML:的AttributeValue> HTTP://schemas.microsoft.com/claims/multipleauthn< / SAML:的AttributeValue>
这基本上表明OKTA执行了MFA,Azure之后将跳过MFA。您还需要确保"SupportsMFA"使用命令" Set-MsolDomainAuthentication ,参数也设置为
true
- DomainName < String> -SupportsMFA
真" 。此命令表明MFA将在IDP级别发生,在这种情况下是OKTA。
希望这有帮助。
Hello Experts,
I have a client you have federated his domain through Okta to access O365. Okta is doing MFA for all users and the user state in Azure says MFA disabled. They are observing risk alerts which says MFA for the user in not enabled, if we enable MFA in Azure are we going to get double MFA? Or is there any way to enable MFA but not get MFA twice? Kindly suggest!
Thank you,
Warm Regards,
CreedHameed
CreedHameed
Hello CreedHameed,
If you enable the MFA in Azure, users will be prompted twice for MFA.
In order to ensure MFA is prompted only once, OKTA should send a claim to Azure AD mentioning that OKTA performed the MFA.
The claim should look something like this:
<saml:Attribute AttributeNamespace="http://schemas.microsoft.com/claims" AttributeName="authnmethodsreferences"><saml:AttributeValue>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AttributeValue> <saml:AttributeValue>http://schemas.microsoft.com/ws/2012/12/authmethod/phoneconfirmation</saml:AttributeValue> <saml:AttributeValue>http://schemas.microsoft.com/claims/multipleauthn</saml:AttributeValue>This basically conveys that OKTA performed MFA and Azure will skip MFA after this. You also need to ensure that "SupportsMFA" parameter is also set to
true using the command "Set-MsolDomainAuthentication
-DomainName <String> -SupportsMFA
true" . This command indicates that MFA will happen at the IDP level which in this case is OKTA.Hope this helps.
这篇关于联邦域名的MFA!的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
