locked
Claim to exclude ActiveSync from ADFS MFA( Azure MFA) RRS feed

  • Question

  • Hi

    We have federated adfs with office365 with Azure MFA enabled.  On intranet all is good, we can access office365 via web (sso) or outlook client and it does not ask for MFA unless client is outside ( as per settings). 

    But we are having issues with configuring mobile devices with ActiveSync, as the account is configured, it keep asking for password which is expected as activesync does not support MFA.

    The only way I could figure out is App Password but for that I have to enable MFA in Office365 as well which kind of kill the MFA function as after enabling MFA in office365 to get to App Password page, it now asks for MFA even if client are inside and trying to access Office365 using web portal. And for the outlook  I have to use the app password as well from intranet.

    How can activesync work when adfs is configured with MFA, we do not want to use app password as it kills the function of SSO form intranet? or is there any claim that can be added to not to process MFA for active sync devices...

    At this stage, we are using the following rule for Office 365 Relaying Party

    Set-AdfsRelyingPartyTrust –TargetRelyingParty $rp –AdditionalAuthenticationRules
    
    ‘c: [Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid"
    
    , Value == "S-1-5-21-2983449972-3282164188-592007632-3759"] &&
    
    [Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"]
    
    => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod",
    
    Value = "http://schemas.microsoft.com/claims/multipleauthn");’

    Thanks in advance.

    Thursday, April 14, 2016 2:29 PM

All replies

  • The following issuance transform rule can be used to bypass the MFA settings in Azure:

    Exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value=="/adfs/services/trust/2005/usernamemixed"]) 
    && 
    Exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value =~"^(Microsoft.Exchange.(Autodiscover|ActiveSync))$"]) 
    => Issue(Type = "http://schemas.microsoft.com/claims/authnmethodsreferences", Value = "http://schemas.microsoft.com/claims/multipleauthn"); 


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, April 14, 2016 4:09 PM
  • Pierre,

    Apologies for "hijacking" the thread but we're in a similar situation as the original poster and have MFA working with ADFS 3.0 and want to exclude any ActiveSync traffic from the Extranet from MFA.

    Can the above ITR be used for the above and if so can it then be removed easily enough if we find it causes any unwanted issues?

    Cheers for now

    Russell

    Wednesday, October 5, 2016 10:13 PM
  • As long as you do not enforce MFA for the user is Azure yes. If you do so, you cannot by-pass it at the ADFS level.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, October 11, 2016 10:14 AM
  • Thanks for the confirmation, can you also let me know which command we'd need to use in order to remove the rule if it causes any unwanted issues?

    Cheers for now

    Russell

    Tuesday, October 11, 2016 7:44 PM
  • As long as you do not enforce MFA for the user is Azure yes. If you do so, you cannot by-pass it at the ADFS level.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


    Can you elaborate on this remark? I need to by-pass with enrolled MFA users.. Thanks
    Thursday, August 24, 2017 7:41 AM