Configuring Azure MFA in ADFS: Service Principal was not found

Posted by

Hi All,

Today I’m back with ADFS, the other day I needed to configure ADFS with Azure MFA for a client. In this case, first I configured the ADFS farm (in my case with WS2016), and then I was ready to configure Azure MFA in the Authentication methods for the Intranet and Extranet.

Why? Because it was a requirement for the project that all internal users use MFA in order to authenticate to O365. Thus we can integrate this with ADFS in a very simple (but tricky) steps. As you know, if you have E1 or E3 licenses, you can use Azure MFA by default, is it not necessary to purchase extra licenses in order to use this service. **First point to take into account

For the record, you will need to use the Connect-MSolService cmdlet, so be sure that you have installed the PowerShell modules in your server

Install-module MSOnline
Install-module AzureAD

Once you have installed this, you need to execute the following commands:

$tenantID = “yourtenant.onmicrosoft.com”
$certbase64 = New-AdfsAzureMfaTenantCertificate -TenantID $tenantID

Connect-MsolService
New-MsolServicePrincipalCredential -AppPrincipalId 981f26a1-7f43-403b-a875-f8b09b8cd720 -Type asymmetric -Usage verify -Value $certBase64
Set-AdfsAzureMfaTenant -TenantId $tenantID -ClientId 981f26a1-7f43-403b-a875-f8b09b8cd720

You can check the info in the following article: https://docs.microsoft.com/es-es/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa

But in my case, every time I was executing the command New-MSOLServicePrincipalCredential, I was receiving an error saying: “Principal Service was not found” I double checked if I was Global ADmin in the O365 and Azure subscription and I was!! So… what the hell means that error??

It means that you don’t have registered the SPN for Azure MFA, and to solve this it is very simple, you can purchase a trial of Azure MFA (P1, P2, EMS, o whatever plan where Azure MFA is included) and assign a license to one user, for example in my case, I assigned the license to the test users. It seems that you will not see “Azure Multi-Factor Auth Client” in the list of MSOL Service Principals until you have at least one account with an MFA license on your tenant.

After doing this, I needed to wait a couple of minutes and then I executed again the PS commands that I showed before… and bang!! I was able to register the Azure MFA as authentication method in ADFS Server.

I think that the short history is that using the new ADFS adapter requires MFA licenses. It doesn’t work with an MFA Provider, but MFA licenses can be purchased standalone or the ones included in Azure AD Premium and EMS

That’s all for today!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s