ADFS Claims rules to exclude just ActiveSync and AutoDiscover but MFA for everything else external.

So with the Help of an MVP Vasil Michev, the Claim i had did suffice however is too broad so i need to be able to exclude ActiveSync and Autodiscover since we will be using ADAL.

What i have right now including a security group for my file. the command i run for the file:
$rpt = Get-AdfsRelyingPartyTrust –Name "Microsoft Office 365 Identity Platform"
set-AdfsRelyingPartyTrust -TargetRelyingParty $rpt -additionalauthenticationrulesfile c:\temp\testclaimsEE.txt

Open in new window

The file it applys is attached
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Vasil Michev (MVP)Commented:
There's no attachment.

I'm not sure whether you can use the endpoint/application/useragent claims for the additional auth rules, as those simply might not be present. You can add something like this to the rule and see if it makes a difference:

NOT [Type == "", Value =~ "^(?i)Microsoft\.Exchange\.WebServices$"]

Open in new window

This should not affect the experience with other apps, if the claim is missing or doesnt match "Microsoft.Exchange.WebServices" you should still get prompted for MFA (at least I think so, cannot test it atm).
ntr2defAuthor Commented:
so the whole rule would look like this....

c:[Type == "", Value == "S-1-5-21-1202660629-1275210071-682003330-197182"] && [Type ==  "", Value == "false"] && [Type == "", Value =~ "(/adfs/ls)|(/adfs/oauth2)"] && NOT [Type == "", Value =~ "^(?i)Microsoft\.Exchange\.WebServices$"] => issue(Type = "", Value = "");

Open in new window

ntr2defAuthor Commented:
Also the file looked like this:

c:[Type == "", Value == "S-1-5-21-1202660629-1275210071-682003330-197182"] && [Type ==  "", Value == "false"] && [Type == "", Value =~ "(/adfs/ls)|(/adfs/oauth2)"] => issue(Type = "", Value = "");

exists([Type == ""]) &&
NOT exists([Type == "",
Value=="Microsoft.Exchange.Autodiscover"]) &&
NOT exists([Type == "",
Value=="Microsoft.Exchange.ActiveSync"]) => issue(Type = "", Value = "PermitUsersWithClaim");

Open in new window

IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

ntr2defAuthor Commented:

So this claim does work however... it doesnt do exactly what we need it to do

c:[Type == "", Value == 
                                 && [Type == "", Value == "false"]
                                 && [Type == "", 
                                Value =~ "(/adfs/ls)|(/adfs/oauth2)"]
                                 => issue(Type = "", Value = 

Open in new window

This rule does about 80% what we need to do where it says "If external and capable of MFA then use MFA" Which means if the Client doesnt have ADAL configured it can still access O365. What we want is for the claim to deny the user if they dont use MFA which i believe is a Issuance Authorization Rule
exists([Type == ""]) &&
exists([Type == "", Value =~ " S-1-5-21-527237240-1682526488-1417001333-2076685"]) &&
NOT exists([Type == "",
Value=="Microsoft.Exchange.Autodiscover"]) &&
NOT exists([Type == "",
Value=="Microsoft.Exchange.ActiveSync"]) &&
=> issue(Type = "", Value = "true");

Open in new window

Vasil Michev (MVP)Commented:
There is no way for the AD FS server to know if the client is ADAL capable. The client decides which method to use and talks to the server, if the client goes with app password it will bypass the "force MFA" rule as you have noted. You can however prevent users from creating app passwords from the MFA portal if that's what you want.
ntr2defAuthor Commented:
is there anyway to deny a user access to O365 unless coming in through MFA?


If user is part of MFA Group and External and User authenticates via MFA then allow if not Authenticate via MFA then Deny
Vasil Michev (MVP)Commented:
Well you can enforce it on all endpoints in the auth rule if that's what you want, but it will not end up well :) As we discussed previously, *every* request for Exchange Online is external, so you will end up blocking those from clients that do not support ADAL (ActiveSync included).
ntr2defAuthor Commented:
which is what im looking for with the exception of ActiveSync. I want to add this as an Issuacne Authorization Rule

exists([Type == ""])
&& exists([Type == "", Value =~ " SID"])
&& NOT exists([Type == "", Value == "Microsoft.Exchange.ActiveSync"])
&& NOT exists([Type == "", Value == "Microsoft.Exchange.ActiveDiscover"])
&& NOT EXISTS([Type == "", Value == ""])
 => issue(Type = "", Value = "DenyUsersWithClaim"); 

Open in new window

Vasil Michev (MVP)Commented:
Oh, you are correct, I totally forgot about the authnmethodsreferences claim. Certainly try it.

You can also try the method described here:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ntr2defAuthor Commented:
between both our comments i was able to solve my problem
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Office 365

From novice to tech pro — start learning today.