Problem Statement:
Email MFA is enabled in my tenant. We have multiple applications and don’t want to have the MFA for one of our applications. We achieve that via custom rule. However, after enabling the Adaptive MFA, it triggers the email challenge for all applications if the confidence is low. Why is this happening, and how to solve this?
Solution:
With Adaptive MFA enabled, the Email challenge happens before the rule. For your use case, you need to disable Adaptive MFA and use the rule to trigger Adaptive MFA for specific applications.
- Disable Adaptive MFA
- Configure a rule:
function adaptiveMfa(user, context, callback) {
const mfaExcludedClientIds = ['xxx'];
const isMfaExcluded = mfaExcludedClientIds.includes(context.clientID);
if (!isMfaExcluded) {
context.multifactor = {
provider: 'any'
};
}
callback(null, user, context);
}
Please be noted, manually setting the provider to a specific option in the rule overrides the enabled/disabled toggles in the Dashboard. You can find the details about the provider setting here.
References: