Entra ID has a new Microsoft-managed conditional access policy that will be enabled from October 2024. However, Google doesn’t support the MultipleAuthN claim that ADFS (and other IdPs) do. 

Is there a work-around for this, or we just need to ensure that the new Microsoft-managed conditional access policy is disabled for all users? Otherwise, we somehow need to enable double MFA (MFA at both Google and Microsoft).

I imagine this might be an issue for any other federated IdPs that don’t support this specific SAML claim.

There is a new alternative to the `SupportsMFA` setting in the `Set-MsolDomainFederationSettings` powershell command, but it doesn’t allow you to ‘always assume MFA is utilised in the federation’ – https://learn.microsoft.com/en-us/graph/api/internaldomainfederation-update?view=graph-rest-1.0&tabs=http#federatedidpmfabehavior-values 

Thanks in advance,

Nigel

​Entra ID has a new Microsoft-managed conditional access policy that will be enabled from October 2024. However, Google doesn’t support the MultipleAuthN claim that ADFS (and other IdPs) do.  Is there a work-around for this, or we just need to ensure that the new Microsoft-managed conditional access policy is disabled for all users? Otherwise, we somehow need to enable double MFA (MFA at both Google and Microsoft). I imagine this might be an issue for any other federated IdPs that don’t support this specific SAML claim. There is a new alternative to the `SupportsMFA` setting in the `Set-MsolDomainFederationSettings` powershell command, but it doesn’t allow you to ‘always assume MFA is utilised in the federation’ – https://learn.microsoft.com/en-us/graph/api/internaldomainfederation-update?view=graph-rest-1.0&tabs=http#federatedidpmfabehavior-values  Thanks in advance,Nigel  Read More

​