05 General Settings
To modify some basic properties of the MFA configuration. As a general rule, the default values propose optimal operation. Define the mail from the administrative contact, choose ADDS Mode and SQL Mode, set the security policy remain options to which we can not respond by default.
To view your configuration you must use PowerShell applets or the MMC.
- Log on the a primary Adfs server as administrator
- Launch a new PowerShell session as administrator
- type get-help Get-MFAConfig –detailed to get information.
- type get-help Set-MFAConfig –detailed to get information.
- Enter your command
Get-MFAConfig$c = Get-MFAConfig ... Set-MFAConfig -Config $c
List of all prperties you can access using Get-MFAConfig and update with Set-MFAConfig
| Properties | Values | Comments |
|---|---|---|
| Issuer | specific | String representing your company (eg : contoso), you must change it. this property is used in email and SMS for example. |
| AdminContact | valid email | Default administrative email (admin@contoso.com or noreply@contoso.com) |
| UserFeatures | Used to configure how users can register or enable their MFA account, and if users can manage their options alone. Values must be mixed with a binary OR. It’s more simple to use Set-MFAPolicyTemplate and use predefined models. Policies models are described later | |
| AdvertisingDays | 1-31 | When users are prompted to register their account for MFA.Specifies the range of days during which a callback is imposed. You can modify FirstDay and LastDay properties |
| UseOfUserLanguages (*) | True |
False - Use language from the operating system (default .Net localization) True - Use language from the browser request at session startup (usefull with new browser versions that overrides default localization : Chrome, Edge Chromium, FireFox) |
| CustomUpdatePassword | True | Use of our custom “Change password form”, after identification when managing user properties. if No, use of standard Adfs form if your Adfs administrators have enabled required endpoint : /adfs/portal/updatepassword/ |
| KeepMySelectedOptionOn | True | Allow users to select their default provider (totp, mail sms, biometrics, etc...) |
| ChangeNotificationsOn | True | Send Email notifications after each profile modification if email is set |
| DefaultCountryCode | specific | Country code, usefull when sending SMS |
| DefaultProviderMethod | Choose | Default Provider for each new activated user (Choose, Code, Biometric, Email, External, Azure) |
| UiKind (*) | Default | Adfs UI configuration Default: Standard UI, Default2019: Centered UI (Adfs 2019 only or custom theme), it's better to use Set-MFAThemeMode cmdlet to change this values |
| UseUIPaginated (*) | False | Use of paginated UI introduced with Adfs 2019. it's better to use Set-MFAThemeMode cmdlet to change this values |
| ForcedLanguage (*) | empty | Used to force UI localization to a unique country (eg: de, en, pt, ...) |
(*) only available with PowerShell
$c = Get-MFAConfig $c.AdvertisingDays.FirstDay = 5 $c.AdvertisingDays.LastDay = 10 $c.UserFeatures = ([MFA.PSUserFeaturesOptions]::AdministrativeMode -bxor [MFA.PSUserFeaturesOptions]::AllowEnrollment) $c.ReplayLevel = 2 Set-MFAConfig -Config $c
- Log on the a primary ADFS server as administrator
- Launch MMC snappin
Description of the different policies for User Activation.
| Policy | Values | Comments |
|---|---|---|
| Free |
BypassDisabled BypassUnRegistered AllowManageOptions AllowChangePassword AllowEnrollment |
When MFA is disabled - Access is allowed if user is disabled - Access is allowed if user is not registered - Administators only can activate user account When MFA is enabled - User can manage password and options - User can use Wizards for enrollment - User can change his default provider - User can disable MFA |
| Open |
BypassDisabled AllowUnRegistered AllowManageOptions AllowChangePassword AllowEnrollment |
When MFA is disabled - Access is allowed if user is disabled - Access is allowed if user is not registered, - User is asked to register his account (*) When MFA is enabled - User can manage password and options - User can use Wizards for enrollment - User can change his default provider - User can disable MFA |
| Default |
AllowDisabled AllowUnRegistered AllowManageOptions AllowChangePassword AllowEnrollment |
When MFA is disabled - Access is allowed if user is disabled - User is asked to activate his account (*) - Access is allowed if user is not registered - User is asked to register his account (*) When MFA is enabled - User can manage password and options - User can use Wizards for enrollment - User can change his default provider - User can disable MFA |
| Mixed | AllowManageOptions AllowChangePassword AllowEnrollment |
When MFA is disabled - Access denied if user is disabled - Access is denied if user is not registered, User must register and activate his account When MFA is enabled - User can manage password and options - User can use Wizards for enrollment - User can change his default provider |
| Managed |
BypassDisabled AllowUnRegistered AllowProvideInformations AllowChangePassword |
When MFA is disabled - Access is allowed if user is disabled - Access is allowed if user is not registered - User is asked to send registration request to administrators - Administators only can activate user account When MFA is enabled - User can manage password - User can change his default provider |
| Strict |
AdministrativeMode AllowProvideInformations |
When MFA is disabled - Access is denied if user is disabled - Access is denied if user is not registered - User must send registration request to administrators - Administators only can activate user account When MFA is enabled - User can change his default provider |
| Administrative | AdministrativeMode |
When MFA is disabled - Access is denied is user is disabled - Access is denied if user is not registered - Administators only can activate user account. When MFA is enabled - Nothing |
(*) According to the values of AdvertisingDays property
Adfs 2019 introduced the management of several types of user interfaces, aka: Modern Logon UI.
A centered interface and a centered / paginated interface.
adfsmfa supports these new visual types.
Paginated mode is required in Adfs 2019 to position MFA prodivers as first authentication factor (passwordless)
To switch from the classic interface (2012r2/2016/2019) to the new interface (2019) please respect the following.
- Log on the a primary Adfs server as administrator
- Launch a new PowerShell session as administrator
- type get-help Set-MFAThemeMode –detailed to get information.
- Enter your command>
# Set UI to Default (2012r2/2016/2019) Set-MFAThemeMode -UIKind Default -Theme MyTheme# Set UI to Default219 Centred UI (2019) Set-MFAThemeMode -UIKind Default2019 -Theme MyTheme2019# Set UI to Paginated 2019 (2019) Set-MFAThemeMode -UIKind Default2019 -Theme MyTheme2019 -Paginated
Changing UI Themes is only available with PowerShell