Skip to content

Commit 93c6c4c

Browse files
billmathbillmath
committed
updating
1 parent 89408f1 commit 93c6c4c

File tree

1 file changed

+1
-2
lines changed

1 file changed

+1
-2
lines changed

articles/active-directory/hybrid/how-to-connect-azure-ad-trust.md

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -115,8 +115,7 @@ You can restore the issuance transform rules using the suggested steps below
115115
## Best practice for securing and monitoring the AD FS trust with Azure AD
116116
When you federate your AD FS with Azure AD, it is critical that the federation configuration (trust relationship configured between AD FS and Azure AD) is monitored closely, and any unusual or suspicious activity is captured. To do so, we recommend setting up alerts and getting notified whenever any changes are made to the federation configuration. To learn how to setup alerts, see [Monitor changes to federation configuration](how-to-connect-monitor-federation-changes.md).
117117

118-
For information on enabling protection against any attack vector trying to by-pass cloud Azure MFA see the new security setting `federatedIdpMfaBehavior`. This new federation configuration when used with a federated domain, Azure AD will always trigger Azure MFA when a federated user accesses an application with a Conditional Access policy that requires MFA. For additional information see [Best practices for securing Active Directory Federation Services](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs#enable-protection-to-prevent-by-passing-of-cloud-azure-mfa-when-federated-with-azure-ad)
119-
118+
If you are using cloud Azure MFA, for multi factor authentication, with federated users, we highly recommend enabling additional security protection. This security protection prevents bypassing of cloud Azure MFA when federated with Azure AD. When enabled, for a federated domain in your Azure AD tenant, it ensures that a bad actor cannot bypass Azure MFA by imitating that a multi factor authentication has already been performed by the identity provider. The protection can be enabled via new security setting, `federatedIdpMfaBehavior`.For additional information see [Best practices for securing Active Directory Federation Services](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs#enable-protection-to-prevent-by-passing-of-cloud-azure-mfa-when-federated-with-azure-ad)
120119

121120
## Next steps
122121
* [Manage and customize Active Directory Federation Services using Azure AD Connect](how-to-connect-fed-management.md)

0 commit comments

Comments
 (0)