Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This document outlines the assertions Microsoft Entra ID requires from a federated identity provider (IdP) to honor configured federatedIdpMfaBehaviour values of acceptIfMfaDoneByFederatedIdp and enforceMfaByFederatedIdp for Security Assertions Markup Language (SAML) and WS-Fed federation.
Tip
Configuring Microsoft Entra ID with a federated IdP is optional.
When an admin optionally configures their Microsoft Entra ID tenant to use a federated IdP using WS-Fed federation, Microsoft Entra redirects to IdP for authentication and expect a response in the form of a Request Security Token Response (RSTR) containing a SAML 1.1 assertion. If configured to do so, Microsoft Entra honors MFA done by the IdP if one of the following two claims is present:
http://schemas.microsoft.com/claims/multipleauthn
http://schemas.microsoft.com/claims/wiaormultiauthn
They can be included in the assertion as part of the AuthenticationStatement
element. For example:
<saml:AuthenticationStatement
AuthenticationMethod="http://schemas.microsoft.com/claims/multipleauthn" ..>
<saml:Subject> ... </saml:Subject>
</saml:AuthenticationStatement>
Or they can be included in the assertion as part of the AttributeStatement
elements. For example:
<saml:AttributeStatement>
<saml:Attribute AttributeName="authenticationmethod" AttributeNamespace="http://schemas.microsoft.com/ws/2008/06/identity/claims">
<saml:AttributeValue>...</saml:AttributeValue>
<saml:AttributeValue>http://schemas.microsoft.com/claims/multipleauthn</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
Sign-in frequency uses UserAuthenticationInstant (SAML assertion http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant
), which is AuthInstant of first factor authentication using password for SAML1.1/WS-Fed.
When an admin optionally configures their Microsoft Entra ID tenant to use a federated IdP using SAMLP/SAML 2.0 federation, Microsoft Entra will redirect to the IdP for authentication, and expect a response that contains a SAML 2.0 assertion. The inbound MFA assertions must be present in the AuthnContext
element of the AuthnStatement
.
<AuthnStatement AuthnInstant="2024-11-22T18:48:07.547Z">
<AuthnContext>
<AuthnContextClassRef>http://schemas.microsoft.com/claims/multipleauthn</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
As a result, for inbound MFA assertions to be processed by Microsoft Entra, they must be present in the AuthnContext
element of the AuthnStatement
. Only one method can be presented in this manner.
Sign-in frequency uses AuthInstant of either MFA or First Factor auth provided in the AuthnStatement
. Any assertions shared in the AttributeReference
section of the payload are ignored, including http://schemas.microsoft.com/ws/2017/04/identity/claims/multifactorauthenticationinstant
.