What is a one sentence summary of your feature request?
If SAML Authentication is set as default honor that and do not allow local MFA access unless explicitly granted.
Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.
Currently, when using SAML authentication for example: Entra. Users have the option to select “Login with a different account”. This will allow them to authenticate and access the NPS using AD and local MFA, even if their authentication method is set as SAML.
As this is not clearly documented, Admins may be unaware that users can easily bypass the configured authentication methods. Being able to bypass SAML authentication prevents the application of Conditional Access Policies as well as any reporting\alerting based on the SAML providers access logs. If I set the authentication to SAML it should respect that method and not allow other methods or this should be clearly documented so we can compensate and design additional safeguards. The odd thing is if I set the authentication to Local MFA and try to log in with SAML it throws an error. I would expect the same behavior in all situations.
How do you currently solve the challenges you have by not having this feature?
We can set the authentication method as exclusive but that prevents the usuage of a “break-glass” account. Instead, we would need to run some commands on the backend database to enable AD authentication. This is time consuming, requires a level of knowledge that may not always be available and seems like additional unnecessary steps.