Overview
Many organizations have asked if it’s possible to determine whether a user has completed Multi-Factor Authentication (MFA) based on claims in a security token, such as a SAML response or OAuth token. In this article, I’ll explain how Entra ID (formerly Azure AD) includes this information in security tokens and how you can verify it for your use case.
Understanding Authentication Claims
SAML and OAuth Authentication Claims
- SAML Tokens: Entra ID uses the claim name
http://schemas.microsoft.com/claims/authnmethodsreferencesto indicate the authentication method used during the sign-in process. - OAuth Tokens: The
amr(Authentication Methods References) value is used to specify the authentication method in OAuth tokens.
Entra ID Configuration
The good news is that Entra ID includes the claim http://schemas.microsoft.com/claims/authnmethodsreferences by default to indicate whether MFA was completed. No additional configuration is required on the Entra ID side.
How to Check MFA Claims in Security Tokens
Case 1: Signed in with Password Only (No MFA)
If a user signs in using only their password (without MFA), the claim http://schemas.microsoft.com/claims/authnmethodsreferences will have a single value:
- Claim Value:
http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password
Example of the claim in the token:
<Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
<AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</AttributeValue>
</Attribute>
Case 2: Signed in with Password and MFA
If a user signs in with both a password and MFA (e.g., an authenticator app or other verification method), the claim http://schemas.microsoft.com/claims/authnmethodsreferences will include two values:
- Claim Values:
http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/passwordhttp://schemas.microsoft.com/claims/multipleauthn
Example of the claim in the token:
<Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
<AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</AttributeValue>
<AttributeValue>http://schemas.microsoft.com/claims/multipleauthn</AttributeValue>
</Attribute>
How to Verify MFA Completion
To verify whether MFA was completed, you simply need to check for the presence of the http://schemas.microsoft.com/claims/multipleauthn value under the claim name http://schemas.microsoft.com/claims/authnmethodsreferences.
- If the value is present: MFA was completed.
- If the value is not present: The user signed in with only their password.
Why This Matters
By checking the claims in security tokens, you can programmatically confirm whether MFA was enforced during authentication. This is particularly useful for organizations that need to ensure compliance with security policies or integrate with third-party vendors that require MFA verification.
Conclusion
Entra ID makes it straightforward to verify MFA claims in security tokens by including the necessary information by default. Whether you’re working with SAML or OAuth tokens, the claim http://schemas.microsoft.com/claims/authnmethodsreferences provides the details you need to determine if MFA was completed during a user’s sign-in process.
If you’re implementing this in your organization or need to share this with a partner or vendor, simply refer them to the appropriate claim values outlined above.