ADFS 2019 multiple MFA provider selection on Relying Party

Thenusing ADFS SSO users normally are prompted to pick one available MFA method which is registered in the ADFS farm. With ADFS 2019 and later you can select in claim rules (at relying party level) the preferred MFA if you have multiple providers registered. You can force users to use one method over another by converting the existing Access Control Policy to compatible IssuanzeAuthorizationPolic on the selected relying party.

To allow scripted MFA customizations for relying party on ADFS server you can install SecureMFA_TDM module from PS Gallery

Install-Module -Name SecureMFA_TDM -Repository PSGallery -Scope AllUsers

Use bellow PS command . Bellow command will update ADFS RelyingPartyTrust configuration to use "SecureMFA OTP Provider" and "Certificate authentication" for second-factor authentication. All other MFA providers will not be visible for users when accessing the updated Relying Party.

Update-ADFS_RelyingPartyTrust -RP_Name 'claimapp4' -RPmode 'None' -SecureMfaOtpProvider -CertificateAuthentication

Below is a list of available options for second-factor authentication providers. MFA Provider must be registered on ADFS farm before you can use it. In the case of native MFA providers which comes as part of ADFS installation, you need to make sure that it is allowed by global policies to be used as a second-factor authentication option.

• FormsAuthentication

• WindowsAuthentication

• CertificateAuthenticationCertificateAuthentication

• DeviceAuthentication

• AzurePrimaryAuthentication

• AzureMfaAuthentication

• MicrosoftPassportAuthentication

• SecureMfaOtpProvider

• SecureMfaEmailOtpProvider

• SecureMfaApiOtpProvider