Azure determine via Conditional Access Policy if MFA is required or not ("RequireMFA"). Then Azure SSO delegates authentication requests to an OnPrem ADFS via WSFed. The OnPrem ADFS returns a SAML-Token to Azure, after authentication.
My problem is, that the OnPrem ADFS has no clue what was evaluated by Azures Conditional Access Policy (MFA is required or not).
Is there any chance to make the ADFS aware of the RequireMFA-Information (ie. via the WSFed Request from Azure to ADFS?)
If your AD FS server has a MFA adapter configured you could do the following.
If the federated domain is configured with supportsmfa as TRUE via https://learn.microsoft.com/en-us/powershell/module/msonline/set-msoldomainfederationsettings?view=azureadps-1.0 cmdlet, then Azure AD will redirect to AD FS any request when Azure AD side needs user to do MFA (such as due to CA policies).
If your AD FS is running on Windows Server 2016 or greater OS edition and you already have configured Azure MFA for users in the cloud, configure the MFA adapter on AD FS using https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa and set supportsmfa=true using Set-MsolDomainAuthentication or Set-MsolDomainFederationSettings cmdlets. Then Azure AD will redirect to AD FS and AD FS will do the MFA using Azure MFA adapter) and return the claims indicating MFA was done at AD FS side. Your AD FS needs to have the claims rules as configured by Azure AD Connect. Else you can use https://adfshelp.microsoft.com/AadTrustClaims/ClaimsGenerator to produce the correct claims rules configuration which will make AD FS issue a
claim using a rule similar to below.
@RuleName = "Pass through claim - authnmethodsreferences"
c:[Type == "http://schemas.microsoft.com/claims/authnmethodsreferences"]
=> issue(claim = c);
Contact Microsoft support if you are still struggling to get this to work.