365 MFA ADFS Bypass

Hi all. Require some advice please - 365 hybrid to adfs4.0. Looking to turn on MFA for users, although require to bypass all mobile and skype - also dont mfa on internal. Can anyone assist with...

exchange

hybrid

office 365

Danny Kitchen

Copper Contributor

Mar 05, 2019

Thanks, it is that i am after assistance with

Does the order take priority ?

Basically i require something that does not enforce mfa for skype, activesync, not all users at the moment are mfa, everything i been looking at enforces mfa unless it matches X

VasilMichev

MVP

Mar 06, 2019

There are many example rules that do that, just look at the documentation. For example, this article:https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/access-control-policies-w2k12

And here's a sample rule we used with one of my customers back in the day:

NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip", Value =~ "insert_list_of_IP_addresses_here"])

 && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value == "/adfs/ls/"])

 && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value == "Microsoft.Exchange.ActiveSync"])

 && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent", Value =~ "lync|ucmapi|WLMHttpTransport|Lync"])

 => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");

Sahil Prashar
Copper Contributor
Nov 28, 2019
VasilMichev Hi Vasil, is there a way to bypass MFA (3rd party) only for Intune and for rest of the M365 apps (SharePoint, Teams etc.) it works in a normal way. If yes, can please provide an example for claim rules for the same. Thanks.

Forum Discussion

365 MFA ADFS Bypass

Resources