Windows Server 2016 or Windows Server 2019
To configure AD FS Multi-factor Authentication
-
Launch the AD FS Management console on your primary AD FS internal server and navigate to AD FS | Service | Authentication Methods.
-
Click the Edit link under Multi-factor Authentication Methods or click Edit Multi-factor Authentication Methods.
-
Select the box next to the One Identity Defender AD FS Adapter authentication method to enable MFA authentication. Click OK.
-
Go to AD FS | Access Control Policies and edit one of the existing MFA policies to apply it to users or groups. Alternatively, create a new MFA policy if no pre-defined policy is sufficient for your organization's MFA requirements.
-
Go to AD FS | Relying Party Trusts, right-click the relying party trust where you want to add Defender AD FS, and then select Edit Access Control Policy.
-
Pick a policy for the relying party that includes MFA and then click OK. The MFA policy immediately applies to the selected relying party.
Network Diagram
Diagramatic representations of Defender AD FS Adapter Authentication and Office 365 Integration are made in this section.
Defender AD FS Adapter Authentication
The Defender AD FS Adapter Authentication workflow is depicted in the diagram below.
Office 365 Integration
The process involved in the integration of Office 365 and Defender AD FS Adapter is depicted in the diagram below.
Test Your Setup
To test your setup, do the following:
- Using a web browser log in to a relying party for your AD FS deployment. For example, you can log into https://portal.microsoftonline.com to access Office 365.
- Complete primary authentication of your AD FS server. The two-factor authentication page is displayed.
- In the Token Response field, enter the response displayed on your token. The authentication type depends on the Defender policy that has been configured. For example, if Defender is configured to use a token policy, the Enter Synchronous Response prompt is displayed.