Double MFA Prompt Windows Hello - Workspace ONE Access

Federate Office 365 to  Workspace ONE Access

A federation between Office 365 and Workspace ONE Access (or any other Identity Provider) is a prerequisites for this blog. Please see my previous post on how to do that:


When you do an enrollment of a new device with Windows OOBE. You will see that the user will first need to authenticate to Workspace ONE Access (username, password and MFA). This will authenticate the user to both Workspace ONE and Office 365 because of the federation:

After this screen Windows Hello requires activation and by default Azure AD will prompt the user with either MS Authenticator or a text MFA:

This means if you have setup MFA in Workspace ONE Access (or any other federated Identity Provider) the user will need to provide MFA twice. Once for Access and Once for Azure AD in this example. In a realistic scenario the MFA from your federated Identity Provider should be sufficient as this is your main authentication source. 

This is caused due to the MFA requirement from Microsoft Azure AD and can satisfied with the following schema:


To configure this, edit the Office365 - WS-FED application in your Identity Provider - Workspace ONE Access. 

Click edit and navigate to Custom Attribute Mapping:

In this field add a new value with the following configuration:

Name: authnmethodsreferences

Format: Basic



Now next time when you enroll through OOBE, the user wil only got prompted for MFA by Workspace ONE Access and not Azure AD!