MFA for specific routes/functions, but not entire app

[pramos84]

Hello, guys. I was wondering how could I have a web application with specific privileged functions (or routes, in a web app context), that ask for MFA, but not the entire app. Explaining deeply, my web app is using OpenID Connect for single sign-on, and my users does not need an strong authentication (a simple password is enough). However, to access the path "/admin", for example, I would like that my app ask for MFA, requiring a stronger authentication method. The way I'd imagined to do this is using two app registrations: the first having common behavior and a second asking for MFA based in a Conditional Access rule. While the ordinay routes uses first app registration, the privileged routes requires logon on second app. But for me it sounds like an ugly solution. Has anyone here had a similar problem and could share the way that handle with this? Thanks for any tip or trick.

[rayluo]

Each route/function can have its own scope. So, perhaps you can have your admin function requiring a different scope which requires MFA?

[pramos84]

Hi rayluo, thanks for your reply. I couldn't figure out how to implement this scenario using scopes. Can I have an application with two scopes, the first requiring MFA and the second not? The only way I know to require MFA using Entra ID is through Conditional Access, and it's a single set of settings for the entire application (whether it requires MFA or not). In any case, after authentication without MFA, the only way to require MFA for a subsequent request is by re-authenticating. Could you give me more details on how to implement your suggestion?

[rayluo]

Good question. I understand your scenario, but sorry I don't have first-hand experience with how/whether this can be set up. I would suggest you ask around, for example, in this kind of Q&A website or Stackoverflow.

Once you figure out how this could be configured, please reply back in this thread and tag me. I am more than happy to take a look and see whether it can be incorporated into this sample.