ADFS:  Allowing ActiveSync clients to use App Passwords

K B
K B used Ask the Experts™
on
Modern Authentication is enabled at the tenant.
Enabled one user with MFA within Office 365
Without any additional Claim Rules MFA seemed to work for ADAL client (Outlook 2016)

Created App password and attempted to use it for legacy ActiveSync client.
Authentication does not succeed (instead user is prompted to fill in fields like server etc..)

Any ideas?

Thank you.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Most Valuable Expert 2015
Distinguished Expert 2018
Commented:
App passwords do not work against AD FS, so make sure that the client doesnt try to "talk" to the AD FS server. If it hits the AD FS server, the request will fail. If it follows the legacy path, authentication is done directly via the service and you should see no trace of it on AD FS side. In this scenario app passwords will work, as long as you are OK with them bypassing all restrictions you have in place with AD FS.

This is discussed for example here: https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-adfs

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial