redhook62
commented
1 year ago Closed Drakeii closed 1 year ago
redhook62
commented
1 year ago 
PsySuck
commented
1 year ago We have read it. But the behavior is not very expected, since these features are not displayed in the gui, and if we need a policy that is different from those that exist, then they are included. Of course, now that we found them through powershell, we fixed it. It is also not clear why ForсeWizard=enabled does not force the user to register otp application.
This is what users who have been allowed to authenticate without OTP look like:
We do not yet understand why the registration was not completed.
redhook62
commented
1 year ago Wait for the next version.
regards
redhook62
commented
1 year ago Hi,
What you have to understand is that this feature was created at the time of codeplex (several years ago), for a particular request, which is also why it is not visible in the console.
When enabled or strict is positioned on a specific provider, if the user chooses "connect with another option" and not to use the provider proposed by default, after validation of the other MFA solution, at the moment of leaving the phase authentication, it will be proposed to reset/set the provider configuration who was ingested in the first place. If Enabled, the user can choose to cancel, if Strict he will be obliged to fill in the requested information.
Anyway, it is not possible to bypass the MFA.
This feature is independent of Policies, regardless of the options activated (Default, Strict, Managed, administrative, custom, ...).
On the other hand, there was indeed a problem in the UI when Enabled was active. the exit was not ensured, and the user was redirected to the management of his options. This will be fixed in the next version.
regards
Hi,
Recently we have detected that the registration for new users is sometimes skipped without any indications. The user follows the on-screen log in steps and they succeed, skipping MFA registration.
The MFA Provider "code" has ForceWizard = Enabled. We switched to "Strict" and it would still not enforce this MFA registration.
Checking with PowerShell we found that MFA global config had the flag "AllowUnregistered" enabled. We removed this flag and now the registration is enforced always. This flag is not visible in the MMC GUI for UserFeature templates
Current result: if this flag is set, the MFA registration skipped for the MFA Provider that is enabled with "ForceWizard = Strict" According to https://github.com/neos-sdi/adfsmfa/wiki/08A-MFA-TOTP-Provider this should be enforced.
Expected result: "code" provider is the default selected for all users, MFA should be enforced by its ForceWizard value.
Notes: