Guidance for newbie

[EBG-DEV]

Hello,

We would like to setup TOTP in our AD environment.
Yes,_ no worries, If you have installed/use an ADFS platform, you are in an AD environment

We have basic ADFS setup for our on-prem D365 - no issues there.
Ok, the plugin works for ADFS 212r2, 2016, 2019 and 2022

However we want to use Google Authenticator in Windows login - is this even possible?
I'm looking for any guidance in steps, setup adfsmfa -> this GPO/script/etc -> Test.

`Yes, the pluggin natively manages rfc6238, for TOTP. this rfc works with authenticator apps
- Microsoft Authenticator
- Google Authenticator
- Authy Authenticator
- Aegis authenticator (recommended)
- and many others

I undestand the general logic, however I'm missing a step how to tell Windows 10/11 at login to use adfsmfa plugin.
We have everything on-prem so no cloud.
just register the pluggin in ADFS:

• https://github.com/neos-sdi/adfsmfa/wiki/01-Installation
• https://github.com/neos-sdi/adfsmfa/wiki/01-Installation#activating-product
  By default, the configuration works by storing user properties (TOTP or biometric keys, emails, pin codes) in ADDS attributes.
• https://github.com/neos-sdi/adfsmfa/wiki/06-Data-Storage#managing-data-storage

How far I got.

1. adfsmfa - working as plugin
2. test user registered and its Key linked with Google Auth app.
3. But somehow I can't redirect Windows login.

I have read the guide word for word - 3x times.
Once the plugin is correctly deployed (following the wiki in its entirety)
You must in ADFS Access Policies enable the use of MFA (for everyone or groups of users).
With the product's default properties, this should be effective

Also in forums I read that it is possible for users to "set their own" stuff - meaning that there should be some kind of webservice ?
The plugin is local and must be installed on each ADFS server.
Yes, among the different possibilities, including the one that is active by default, to let users register by themselves

Please any help would be appreciated.

[redhook62]

Hi, @EBG-DEV

I directly put some remarks in your post.

To use adfsmfa:

• install adfsmfa on each ADFS server in your farm (not on ADFS proxies)

• on a Primary ADFS server register the plugin with ADFS (Wiki 01)

• Activate the MFA at the ADFS console level in the "Access Control Policies"

• follow all Wiki articles
  01 - Installation
  04 - System Management
  05 - General Settings
  06 - Data Storage (ADDS/SQL)
  07 - Security (You can use the defaults for testing)
  08 - MFA Providers (activate and configure the desired providers)
  08A - TOTP Provider
  08B - Biometric Provider
  08C - Email Provider

This is a starting point to follow. then, if you test, you will see that the pluggin is configurable as desired.

regards

[EBG-DEV]

Thank you I will redo steps as suggested - I think I have missed something at "Access Control Policies" level.

Will double check this step.