ADFS Configuration Scenario



Greetings. Wondering if the following scenario is possible, and if not, what would be the recommended course of action to take:

Currently, we have our Office 365 and another third-party application protected via Duo. As such, any logins to either application from our “trusted” ip addresses results in the Duo MFA prompt for a split second, then passing the ADFS login through as they are identified to originate from the aforementioned trusted network. Logins from outside our trusted ip addresses still prompt for MFA as expected.

We now have a new vendor and application that we are able to tie into our ADFS login, but this application needs to be prompted for MFA for all logins (note, the vendor has our ip addresses white listed, so no logins are permissible from any other network).

So, is the scenario as described possible without breaking our current configuration with ADFS, or are there other options to consider/implement?

Thanks in advance for any comments/solutions to my query.



Are these first two mentioned applications (O365 and the other) protected through ADFS/Duo plugin or are they Duo-protected apps that were added through the Duo portal -> Applications -> Protect Application?

In any case, you can configure ADFS relying party trusts to have MFA enforced per RPT rather than with a global policy and you can get pretty specific with the custom claims rules.

For example you can force MFA only for a particular security group. Or force it for external traffic only (anything hitting the ADFS portal through the ADFS WAPs). Or force it for all devices and laptops internal/external except for iphones, etc.

What version of ADFS do you use? 2.0, 3.0, or 4.0? 4.0 has some nicer built-in MFA policies that you can apply via the ADFS Gui Console… otherwise I recommend powershell: