asked on
ADFS Claims Rules Help for MFA
Currently I'm working on building a lab however I noticed when im external and hit login.microsoftonline.com i get no MFA prompts for:
Set-AdfsRelyingPartyTrust -TargetRelyingParty $rp -additionalauthenticationr
Notice True is Bolded
But when i change it to false:
Set-AdfsRelyingPartyTrust -TargetRelyingParty $rp -additionalauthenticationr
Then it prompts me for MFA.
ALso i want to be able to exclude users using ActiveSync. So if an ActiveSync user comes through then do not prompt for MFA
Set-AdfsRelyingPartyTrust -TargetRelyingParty $rp -additionalauthenticationr
Notice True is Bolded
But when i change it to false:
Set-AdfsRelyingPartyTrust -TargetRelyingParty $rp -additionalauthenticationr
Then it prompts me for MFA.
ALso i want to be able to exclude users using ActiveSync. So if an ActiveSync user comes through then do not prompt for MFA
Active DirectoryWindows Server 2012AzureMicrosoft 365Cloud Computing
Last Comment
Vasil Michev (MVP)
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Think you kinda pressed the Post button too fast, I don't see the ending of your post :)
ASKER
I updated it
ASKER
I've uploaded the txt file for your review
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
so activesync and autodiscover will not require autodiscover correct?
Yes, no MFA for those requests, as they will be hitting a different endpoint.
ASKER
Also my other question is for security reason i would like to explicitly call out autodiscover, activesync to not require MFA
exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application",alue=="Microsoft.Exchange.Autodiscover"]) && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value=="Microsoft.Exchange.ActiveSync"]) => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");
As explained above, you DO NOT need this rule. Everything Exchange related will NOT require MFA.
ASKER
Thank you Vasil, For education purposes will any other application come through without MFA? for all intents and purposes that would not be a good thing.
Only the ones that are not using the passive endpoint. As MFA (or any 2FA method for that matter) requires a user input via additional components, usually surfaced via a browser control, such apps will not be able to connect anyway. Now, if you have switched to using ADAL, things change a bit, but that's another story.
ASKER
So we are going to use ADAL. So then would my rules change again?
ADAL is still in preview and has issues with for example Lync. When and if you decide to switch to ADAL, you will have to rework your claims rules as all clients will use the Passive endpoint. Check for example here: http://social.technet.microsoft.com/wiki/contents/articles/30253.office-2013-and-office-365-proplus-modern-authentication-and-client-access-filtering-policies-things-to-know-before-onboarding.aspx
Open in new window
Also is there a way to do the same thing but in a file?
Open in new window
I uploaded the file. so when i import the file can i
testclaims.txt