Multi-Factor Authentication (MFA) Provisioning Policy Attributes
To provision MFA attributes for users, add the same attributes in the provisioning policy that are present in the account schema (for more information, refer to Multi-Factor Authentication (MFA) Attributes) with the Review Required flag checked.
Note
When using the phone authentication method, the values for the following attributes are expected to be provided with the country code as a prefix: mfa_phoneNumber_mobile, mfa_phoneNumber_alternateMobile, and mfa_phoneNumber_office. If the country code is not provided provisioning operations will result in failure. The value for these attributes should follow this format (there must be a space between the country code and the phone number): <country code> <phone number>
Examples:
-
<AttributeRequest name="mfa_phoneNumber_mobile" op="Add" value="+1 2065555555"/> -
<AttributeRequest name="mfa_phoneNumber_alternateMobile" op="Add" value="+1 2065555556"/> -
<AttributeRequest name="mfa_phoneNumber_office" op="Add" value="+1 2065555557"/>
Note
Once you enable MFA for any user there will be one default authentication method set. This is usually the first method configured, but you can modify it later from the Azure portal. If you are trying to remove values for an attribute that belongs to the default authentication method, the Azure APIs will throw an error as the APIs do not expect to remove values for attributes that belong to the default authentication method. For example, if email is the default authentication method configured for an Azure user, the connector will not be able to remove the value for the mfa_emailAddress attribute.
|
Authentication Method |
Attribute Name |
Type |
Description |
|---|---|---|---|
|
Phone |
mfa_phoneNumber_mobile |
String |
Mobile phone number assigned to the user. |
|
Phone |
mfa_phoneNumber_alternateMobile |
String |
Alternate mobile phone number assigned to the user. |
|
Phone |
mfa_phoneNumber_office |
String |
Office phone number assigned to the user. |
|
|
mfa_emailAddress |
String |
Email address assigned to the user. |
|
Microsoft Authentication |
mfa_microsoftAuthenticatorAuthenticationMethod |
String: Multivalued |
Microsoft Authentication method assigned to the user. |
|
For the |
|||
|
Other |
mfa_methodName Where methodName is the authentication method name. For example:
|
String: Multivalued |
Other authentication method assigned to the user. |
Sample Provisioning Request
<ProvisioningPlan>
<AccountRequest op="Create">
<AttributeRequest name="displayName" op="Add" value=“Abcde”/>
<AttributeRequest name="mailNickname" op="Add" value="Abcde"/>
<AttributeRequest name="password" op="Add" value="Abcde"/>
<AttributeRequest name="userPrincipalName" op="Add" value="Abcde@gmail.com”/>
<AttributeRequest name="mfa_phoneNumber_mobile" op="Add" value="+1 2065555555"/>
<AttributeRequest name="mfa_phoneNumber_alternateMobile" op="Add" value="+1 2065555556"/>
<AttributeRequest name="mfa_phoneNumber_office" op="Add" value="+1 2065555557"/>
<AttributeRequest name="mfa_emailAddress" op="Add" value=“Abcde@gmail.com"/>
</AccountRequest>
</ProvisioningPlan>Sample Update Account Requests
Example 1
<ProvisioningPlan>
<AccountRequest nativeIdentity="8cb133a4-0cea-XXXX-8c02-XXXXXXXX" op="Modify">
<AttributeRequest name="mfa_phoneNumber_alternateMobile" op=“Add” value="+1 2065555562"/>
<AttributeRequest name="mfa_phoneNumber_office" op=“Set” value="+1 2065555563"/>
<AttributeRequest name="mfa_emailAddress" op="Remove" value="Abcde@gmail.com"/>
</AccountRequest>
</ProvisioningPlan>Example 2
<ProvisioningPlan>
<AccountRequest op="Modify" nativeIdentity="8cb133a4-0cea-XXXX-8c02-XXXXXXXX">
<AttributeRequest name="mfa_microsoftAuthenticatorAuthenticationMethod" op="Remove">
<Value>
<List>
<String>{"@odata.type":"#microsoft.graph.microsoftAuthenticatorAuthenticationMethod","id":"8cb133a4-0cea-XXXX-8c02-XXXXXXXX","displayName”:”iPhone”,”deviceTag":"SoftwareTokenActivated","phoneAppVersion”:”6.7.X”}</String>
</List>
</Value>
</AttributeRequest>
</AccountRequest>
</ProvisioningPlan>