locked
Need help with claims rule to bypass MFA for iOS RRS feed

  • Question

  • We have ADFS 3.0 cert-based MFA enabled for Office 365 but have found that iOS devices fail during the second factor to prompt to select a certificate. The Android devices have no problem so it seems isolated to something with iOS and Microsoft PFEs are saying it's not supported. We would like to put in a claims rule that allows iOS devices to bypass the MFA requirement but still enforce it on all other device types. I'm not an ADFS guy so I'm looking for anyone who can suggest a claims rule that would work in this scenario. Any help is appreciated!

    GS

    Friday, May 20, 2016 9:52 PM

Answers

  • You can use the User-agent string of the browser to trigger or not trigger MFA if you'd like.

    Note that it is not really secure since one can change its user-agent string to bypass your policy.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, May 26, 2016 6:38 PM
  • As Pierre pointed out, you can use the User Agent and this is by no means foolproof.  In addition, you could use a union of claims, e.g. group membership + user agent, to have greater control over which "iOS" devices (exhibiting the user agent settings) combined with users in a specified group are allowed to connect using said devices and weaker authentication.

    http://blog.auth360.net

    Thursday, June 2, 2016 5:45 PM

All replies

  • You can use the User-agent string of the browser to trigger or not trigger MFA if you'd like.

    Note that it is not really secure since one can change its user-agent string to bypass your policy.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, May 26, 2016 6:38 PM
  • Any update?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, June 2, 2016 1:13 PM
  • We need to do some research to figure out exactly how to build a claims rule to bypass MFA. I'm open to suggestions but we may just need to engage with a Microsoft PFE for some technical assistance.

    GS

    Thursday, June 2, 2016 2:11 PM
  • As Pierre pointed out, you can use the User Agent and this is by no means foolproof.  In addition, you could use a union of claims, e.g. group membership + user agent, to have greater control over which "iOS" devices (exhibiting the user agent settings) combined with users in a specified group are allowed to connect using said devices and weaker authentication.

    http://blog.auth360.net

    Thursday, June 2, 2016 5:45 PM
  • Thanks for the suggestions and we'll consider how to build that into the solution. I agree that this is not foolproof and may not meet our Security team's approval but at least it is an option. I hope Microsoft can find a way to address this certificate-based authentication issue in future versions of their Office Mobile/ODfB applications.

    GS

    Monday, June 6, 2016 2:47 PM
  • Did you ever get this working? if so how did you create the rule? was it an auth rule, issuance rule, etc...?
    Friday, June 24, 2016 6:46 PM
  • We decided not to allow iOS to bypass the MFA requirement and have submitted a design change request to have Microsoft come up with a better solution. We are still awaiting more details and I will post it here once I know more definitively.

    GS

    Friday, June 24, 2016 8:43 PM