SOLVED
Home

Ex2016 Full Hybrid with password hash sync and Outlook 2016 clients - bypass MFA on domain?

%3CLINGO-SUB%20id%3D%22lingo-sub-354120%22%20slang%3D%22en-US%22%3EEx2016%20Full%20Hybrid%20with%20password%20hash%20sync%20and%20Outlook%202016%20clients%20-%20bypass%20MFA%20on%20domain%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-354120%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20a%20couple%20of%20Ex2016%20servers%20that%20have%20been%20configured%20to%20be%20in%20full%20hybrid%20mode%20with%20our%20new%20O365%20tenant.%26nbsp%3B%20Our%20on-prem%20AD%20has%20been%20synced%20with%20Azure%20AD%20Connect%20and%20password%20hash%20sync%20has%20been%20configured.%26nbsp%3B%20Seamless%20Sign-On%20has%20also%20been%20configured.%26nbsp%3B%20When%20an%20Outlook%202016%20client%20is%20launched%20from%20a%20domain-joined%20desktop%20against%20a%20mailbox%20that%20has%20been%20moved%20to%20O365%2C%20we%20see%20the%20Outlook%202016%20splash%20screen%20and%20we%20see%20a%20white%20O365%20authentication%20box%20pop%20up%20but%20SSO%20takes%20care%20of%20that%20for%20us%20and%20we%20end%20up%20inside%20the%20mailbox.%26nbsp%3B%20So%2C%20things%20are%20currently%20working%20as%20intended.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20we%20add%20MFA%20to%20one%20of%20our%20O365%20accounts%2C%20that%20is%20also%20working.%26nbsp%3B%20When%20launching%20Outlook%202016%20from%20a%20domain-joined%20PC%20against%20an%20O365%20mailbox%20that%20has%20MFA%20enabled%2C%20we%20get%20an%20MFA%20challenge%20and%20when%20we%20pass%20that%2C%20Outlook%20continues%20into%20the%20mailbox%20with%20no%20trouble.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%2C%20what%20we%20are%20looking%20to%20do%20is%20to%20have%20MFA%20enabled%20on%20a%20mailbox%20but%20if%20the%20mailbox%20is%20accessed%20by%20an%20Outlook%202016%20client%20from%20domain-joined%20PC%2C%20we%20would%20like%20for%20that%20type%20of%20login%20to%20bypass%20MFA.%26nbsp%3B%20If%20a%20login%20happens%20outside%20the%20domain%2C%20we%20would%20like%20the%20MFA%20policy%20to%20apply.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20understand%20that%20something%20called%20Conditional%20Access%20is%20available%20when%20using%20Azure%20AD%20Premium%20licensing%20(either%20P1%20or%20P2)%20and%20with%20Conditional%20Access%2C%20it%20looks%20like%20we%20could%20then%20set%20up%20Trusted%20IP%20Addresses%20so%20that%20we%20could%20then%20identify%20where%20our%20domain-joined%20clients%20originate%20from.%26nbsp%3B%20However%2C%20we%20are%20debating%20on%20whether%20spending%20the%20extra%20money%20per%20user%20for%20Azure%20AD%20Premium%20is%20the%20best%20way%20to%20go%20and%20so%20we%20are%20looking%20for%20alternatives%20to%20that%20approach.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anyone%20know%20of%20a%20way%20to%20have%20MFA%20get%20bypassed%20by%20an%20Outlook%202016%20client%20that%20is%20set%20up%20to%20use%20Modern%20Authentication%20and%20that%20is%20coming%20from%20a%20domain-joined%20PC%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%2C%3C%2FP%3E%3CP%3EDaniel%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-354120%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3E2016%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Server%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOutlook%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-354146%22%20slang%3D%22en-US%22%3ERe%3A%20Ex2016%20Full%20Hybrid%20with%20password%20hash%20sync%20and%20Outlook%202016%20clients%20-%20bypass%20MFA%20on%20domain%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-354146%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Vasil%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20very%20much%20for%20your%20quick%20response!%26nbsp%3B%20After%20searching%20around%20for%20a%20good%20while%2C%20I%20had%20a%20feeling%20that%20Conditional%20Access%20was%20pretty%20much%20our%20only%20option%20(I%20had%20not%20considered%20the%20full%20ADFS%20option%20until%20you%20mentioned%20it%20but%20I%20think%20I'd%20rather%20stay%20away%20from%20the%20complexity%20that%20solution%20brings)%20so%20we%20will%20probably%20take%20a%20hard%20look%20at%20adding%20those%20Azure%20AD%20Premium%20licenses%20to%20gain%20the%20Conditional%20Access%20feature.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20again!%3C%2FP%3E%3CP%3EDaniel%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-354134%22%20slang%3D%22en-US%22%3ERe%3A%20Ex2016%20Full%20Hybrid%20with%20password%20hash%20sync%20and%20Outlook%202016%20clients%20-%20bypass%20MFA%20on%20domain%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-354134%22%20slang%3D%22en-US%22%3E%3CP%3EIt's%20either%20Conditional%20Access%2C%20or%20redirecting%20the%20authentication%20process%20by%20deploying%20an%20on-premises%20AD%20FS%20server%20with%20the%20MFA%20configured%20there.%20Which%20in%20your%20scenario%20will%20probably%20cost%20more.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20other%20functionality%20that%20comes%20to%20mind%20is%20the%20Azure%20AD%20Join%2C%20which%20will%20automatically%20satisfy%20MFA%20requirements.%20But%20that's%20not%20the%20same%20as%20domain-joined%2C%20as%20generally%20speaking%20people%20can%20join%20personal%20devices%20and%20thus%20bypass%20MFA%20on%20them%20as%20well.%3C%2FP%3E%3C%2FLINGO-BODY%3E
dano2112
New Contributor

We have a couple of Ex2016 servers that have been configured to be in full hybrid mode with our new O365 tenant.  Our on-prem AD has been synced with Azure AD Connect and password hash sync has been configured.  Seamless Sign-On has also been configured.  When an Outlook 2016 client is launched from a domain-joined desktop against a mailbox that has been moved to O365, we see the Outlook 2016 splash screen and we see a white O365 authentication box pop up but SSO takes care of that for us and we end up inside the mailbox.  So, things are currently working as intended.

 

When we add MFA to one of our O365 accounts, that is also working.  When launching Outlook 2016 from a domain-joined PC against an O365 mailbox that has MFA enabled, we get an MFA challenge and when we pass that, Outlook continues into the mailbox with no trouble.

 

So, what we are looking to do is to have MFA enabled on a mailbox but if the mailbox is accessed by an Outlook 2016 client from domain-joined PC, we would like for that type of login to bypass MFA.  If a login happens outside the domain, we would like the MFA policy to apply.

 

We understand that something called Conditional Access is available when using Azure AD Premium licensing (either P1 or P2) and with Conditional Access, it looks like we could then set up Trusted IP Addresses so that we could then identify where our domain-joined clients originate from.  However, we are debating on whether spending the extra money per user for Azure AD Premium is the best way to go and so we are looking for alternatives to that approach.

 

Does anyone know of a way to have MFA get bypassed by an Outlook 2016 client that is set up to use Modern Authentication and that is coming from a domain-joined PC?

 

 

Thank you,

Daniel

 

2 Replies
Solution

It's either Conditional Access, or redirecting the authentication process by deploying an on-premises AD FS server with the MFA configured there. Which in your scenario will probably cost more.

 

The other functionality that comes to mind is the Azure AD Join, which will automatically satisfy MFA requirements. But that's not the same as domain-joined, as generally speaking people can join personal devices and thus bypass MFA on them as well.

Hi Vasil,

 

Thank you very much for your quick response!  After searching around for a good while, I had a feeling that Conditional Access was pretty much our only option (I had not considered the full ADFS option until you mentioned it but I think I'd rather stay away from the complexity that solution brings) so we will probably take a hard look at adding those Azure AD Premium licenses to gain the Conditional Access feature.

 

 

Thanks again!

Daniel

 

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
30 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies