000029586 - How to selectively challenge users and applications with RSA AD FS agent

Through the AD FS Management tool, one can set a global authentication policy that applies to all relying party apps, or a per a relying party trust policy that applies to a specific relying party app. The first screenshot below shows an example of a global policy configured to require all extranet users to use multi-factor authentication (MFA) when accessing any web app protected by AD FS.

 
 

Note the extranet and intranet checkboxes. Extranet means that the authentication request is coming through a Web Application Proxy (see https://technet.microsoft.com/en-us/library/hh831502.aspx).

MFA policy can also be applied to specific users and groups as well as to registered and unregistered devices. (Device registration is Microsoft’s lightweight domain registration support where a device like an iPhone can be registered and used as an authentication factor.) When requiring a user or group to use MFA, it is Active Directory users and groups that are used. (AD FS can be thought of as an IDP for Active Directory.)
 

The second screenshot shows an example of an MFA policy defined for a specific relying party app, Outlook Web App (OWA). The policy requires that external users of OWA perform a SecurID authentication. Internal users of OWA are not required to perform a SecurID authentication. OWA is an example of an Office 365 web app.