Hey Mark,

You can read this post about AD FS 2019, the configuration for primary auth: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/additional-authentication-methods-ad-fs

Tou your second question: AFAIK only OTP is available with AD FS 2016, but I have to test it with 2016 first as the blog is for 2019. I found the following statement in the above link:
“AD FS 2016 introduced Azure MFA as primary authentication so that OTP codes from the Authenticator App could be used as the first factor”

Hth,
Dominik

I implemented ADFS 2016 with Azure MFA. Now when I enable it, I can only provide a username and than the OTP from the Authenticator App. I’ve got two questions:

1. I want users to provide username and password first as the primary authentication method and after that, trigger MFA.
2. I want to use the Push Notification instead of entering the OTP.

Any ideas on how to configure this right?

You can use cert based authentication as primary auth method and sign in password-less.

Please have a look at my conference slides which are available at my blog for further information: Dominikhoefling.com

Yes, for Azure MFA P1 is needed. Or EMS E3 which includes P1.

Hi Sankar,

I would highly recommend to upgrade your AD FS infrastructure. All identity protection features are available starting with AD FS 2016+ (except MFA, that can be used with 2012 as well).

Best,
Dominik

please let us know whether it supported on ADSFS 2012

Hi David,

it depends on either you want to enable MFA as primary or secondary authentication method. Azure MFA for secondary is automatically enabled.

Best,
Dominik