Claims Rules for Office 365 and MFA RRS feed

  • Question

  • We are trying to enforce MFA for all connections to Office 365 except those not supported - specifically ActiveSync.

    Currently, our rule allows for no MFA when connecting from the corporate network and only for browser based requests when not on the corporate networks.  This works for web based access but allows apps with Modern Auth (ADAL) enabled to access with no MFA when connecting from outside.  What we want is ADAL enabled applications to enfore MFA.  Here is our current claim rule:

    c:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"]
     && c1:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value =~ "(/adfs/ls)|(/adfs/oauth2)"]
     => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");

    What we have tried:

    c:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork",Value == "false"]
     && c1:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value != "Microsoft.Exchange.ActiveSync"]
     => issue(Type ="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod",Value = "http://schemas.microsoft.com/claims/multipleauthn");


    - and - 

    c:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"] && [Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value =~ "(/adfs/ls)|(/adfs/oauth2)"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn"); exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value=="Microsoft.Exchange.Autodiscover"]) && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value=="Microsoft.Exchange.ActiveSync"]) => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "PermitUsersWithClaim");

    Nothing seems to work and the examples all talk about deny when external vs. enforce MFA when external.


    Tuesday, January 12, 2016 9:04 PM


  • Hi John,
    Thanks for posting in our forum. Please note that here we mainly focus on ADDS related questions, there is not so much about Claims rules/MFA for Office 365 aspects.
    For your specific question - Claims Rules for MFA for Office 365, you might want to try in the "Claims based access platform" forum below:
    Or post in the dedicated Office 365 community forum, there you should get more professional responses:
    The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us. Thank you for your understanding.


    Ethan Hua

    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Wednesday, January 13, 2016 2:55 AM