Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

MFA for specific routes/functions, but not entire app #159

Unanswered
pramos84 asked this question in Q&A
Discussion options

Hello, guys. I was wondering how could I have a web application with specific privileged functions (or routes, in a web app context), that ask for MFA, but not the entire app. Explaining deeply, my web app is using OpenID Connect for single sign-on, and my users does not need an strong authentication (a simple password is enough). However, to access the path "/admin", for example, I would like that my app ask for MFA, requiring a stronger authentication method. The way I'd imagined to do this is using two app registrations: the first having common behavior and a second asking for MFA based in a Conditional Access rule. While the ordinay routes uses first app registration, the privileged routes requires logon on second app. But for me it sounds like an ugly solution. Has anyone here had a similar problem and could share the way that handle with this? Thanks for any tip or trick.
You must be logged in to vote

Replies: 1 comment 2 replies

Comment options

Each route/function can have its own scope. So, perhaps you can have your admin function requiring a different scope which requires MFA?
You must be logged in to vote
2 replies
Comment options

Hi rayluo, thanks for your reply. I couldn't figure out how to implement this scenario using scopes. Can I have an application with two scopes, the first requiring MFA and the second not? The only way I know to require MFA using Entra ID is through Conditional Access, and it's a single set of settings for the entire application (whether it requires MFA or not). In any case, after authentication without MFA, the only way to require MFA for a subsequent request is by re-authenticating. Could you give me more details on how to implement your suggestion?
Comment options

Good question. I understand your scenario, but sorry I don't have first-hand experience with how/whether this can be set up. I would suggest you ask around, for example, in this kind of Q&A website or Stackoverflow.

Once you figure out how this could be configured, please reply back in this thread and tag me. I am more than happy to take a look and see whether it can be incorporated into this sample.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Category
Q&A
Labels
None yet
2 participants

AltStyle によって変換されたページ (->オリジナル) /