Multi-Factor Authentication (MFA) Attributes

To manage multi-factor authentication user information, ensure that the following attributes are present in the account schema:

Note

When using the phone authentication method, the values for the following attributes are expected to be provided with the country code as a prefix: mfa_phoneNumber_mobile, mfa_phoneNumber_alternateMobile, and mfa_phoneNumber_office. If the country code is not provided provisioning operations will result in failure. The value for these attributes should follow this format (there must be a space between the country code and the phone number): <country code> <phone number>

Examples:

<AttributeRequest name="mfa_phoneNumber_mobile" op="Add" value="+1 2065555555"/>
<AttributeRequest name="mfa_phoneNumber_alternateMobile" op="Add" value="+1 2065555556"/>
<AttributeRequest name="mfa_phoneNumber_office" op="Add" value="+1 2065555557"/>

Note
Once you enable MFA for any user there will be one default authentication method set. This is usually the first method configured, but you can modify it later from the Azure portal. If you are trying to remove values for an attribute that belongs to the default authentication method, the Azure APIs will throw an error as the APIs do not expect to remove values for attributes that belong to the default authentication method. For example, if email is the default authentication method configured for an Azure user, the connector will not be able to remove the value for the mfa_emailAddress attribute.

Authentication Method	Attribute Name	Type	Description
Phone	mfa_phoneNumber_mobile	String	Mobile phone number assigned to the user.
Phone	mfa_phoneNumber_alternateMobile	String	Alternate mobile phone number assigned to the user.
Phone	mfa_phoneNumber_office	String	Office phone number assigned to the user.
Email	mfa_emailAddress	String	Email address assigned to the user.
Microsoft Authentication	mfa_microsoftAuthenticatorAuthenticationMethod	String: Multivalued	Microsoft Authentication method assigned to the user.
Other	mfa_methodName Where methodName is the authentication method name. For example: mfa_fido2AuthenticaitonMethod mfa_temporaryAccessPassAuthenticationMethod mfa_softwareOauthAuthenticationMethod mfa_windowsHelloForBusinessAuthenticationMethod	String: Multivalued	Other authentication method assigned to the user.


	You are here: