Currently I'm working on building a lab however I noticed when im external and hit login.microsoftonline.com i get no MFA prompts for:
Set-AdfsRelyingPartyTrust -TargetRelyingParty $rp -additionalauthenticationr
ules 'exists([Type == "
http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) && exists([Type == "
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", value == "s-1-5-21-13664088-3370380
461-338043
368-14102"
]) && exists([Type == "
http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", value == "
true"]) => issue(type = "
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", value = "
http://schemas.microsoft.com/claims/multipleauthn");'
Notice True is
Bolded
But when i change it to false:
Set-AdfsRelyingPartyTrust -TargetRelyingParty $rp -additionalauthenticationr
ules 'exists([Type == "
http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) && exists([Type == "
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", value == "s-1-5-21-13664088-3370380
461-338043
368-14102"
]) && exists([Type == "
http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", value == "
false"]) => issue(type = "
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", value = "
http://schemas.microsoft.com/claims/multipleauthn");'
Then it prompts me for MFA.
ALso i want to be able to exclude users using ActiveSync. So if an ActiveSync user comes through then do not prompt for MFA