Azure Active Directory and ADFS support for Location based MFA ?

Brass Contributor

Any one knows if it is possible to kind of apply MFA only from like outside the defined trusted Networks and how to set this up if ADFS 3.0 is in play ?  i tried to use just AAD Conditional Access Policies but i figure with ADFS in play it might be different as with just PTA and Seamless SSO.

 

And additionally would this be possible that MFA just applies for like SharePoint Teamsite access but not to the OneDrive (My Site Collection Space of SharePoint), Yammer, Teams etc ?

 

The Customer does not use MFA yet and would like to start using it in collaborating with SharePoint Online with External Partners and Users but still not ready yet to globally use everywhere else to bother the users. Device based Conditional Access is not yet a Topic as the Environment is very Heterogeneous. 

 

regards

Ueli

14 Replies

You can use the claims rules engine to create rules that will apply MFA only on external logins. You cannot however limit this to only specific workflows, such as SPO. If you have such requirements, Azure AD Conditional Access is your best option.

Thank you, i figured that as well regarding claim rules.

I have another question in the meantime though regarding the Conditional Access.

Does this should work as well with Federated IDs or just with Cloud only an PTA and SSO Synced AD Accounts? 

 

I justed created a Conditional Access Rules which should require me to use MFA if im not coming from a Trusted IP Range and if accessing SharePoint Online from Browser but no other target in Browser and no Modern Authentication App and it seems not to work for federated IDs.

 

So for them i always have to use ADFS Claim Rules or is there something wrong with my Rule ?

 

Best regards

Ueli

Found this one, does someone know if this is the Best way to go if you have federated IDs  and still want to use Conditional Access and Azure MFA ? 

 

https://blog.kloud.com.au/2017/07/01/using-adfs-on-premises-mfa-with-azure-ad-conditional-access/

 

Cheers

Ueli

Conditional access will work for federated scenarios, but it only applies to legacy auth. They just started previewing CA support for blocking legacy auth, so you can use the relevant controls as needed.

 

It's still much easier to distinguish between external/internal access via AD FS claims rules, provided you use the recommended setup of AD FS servers + proxies.

Hello Ueli,

 

As per your enterprise setup. I will try to explain what will happen under the hood when you have MFA configured in cloud for federated identities.

 

Your user will go to https://portal.office.com --> and will be redirected to https://login.microsoftonline.com --> Since the domain is federated, the ADFS will complete the authentication and the provide a token to https://login.microsoftonline.com and now the conditional access policies will be triggered.

 

Conditional access policy will be triggered irrespective of the authentication method you are using, as this is configured in azure. 

 

2nd  scenario - where you have a MFA provider added in ADFS as well,

- The MFA will be triggered by ADFS using MFA adapter

- In this case azure mfa will not be triggered because the token provided to azure AD, will have a multipleauthn claim in the token.

 

Now since this is a starting phase where you are testing, I would recommend to start either with exchange and not with sharepoint or onedrive.

You can simple apply conditional access to either groups or set of users as well.

 

## Note - Conditional access is triggered when the primary authentication is completed, it is more over an authorization which is based on certain conditions, once validated the user will have access to the respective resource. 

 

Regards,

Rishabh

Thanks Rishabh,

 

So basically what would you recommend me if i actually don't want depend to much on ADFS and ADFS Claim Rules but would rather like to use native Conditional Access with Azure MFA ? still have ADFS in place as we are not able to remove it right away (maybe in the future i would like to go PTA and Seamless SSO) but that can go a while.

 

I still need the following covered:

 

1. Only use MFA if it is outside of Corpnet

2. Only use MFA for SharePoint Online SaaS and for nothing else

3. Only use if connected via Browser (not for OneDrive fat client or so ever)

 

BTW: This is basically because we want to rollout this package just for SharePoint Collab right now and not for anything else. Later we probably will go with Hybrid AD Join and Intune and for this step im than able to use Device Based Conditional Access which makes it even more easier.

 

But again regarding the above 3 Requirements what would you suggest ? is this possible without ADFS Claims or do we need still the ADFS Claims ? and do i need than ADFS to connect to MFA Provider like AzureMFA or can i use the claim rules without using ADFS driven MFA and just use again Azure MFA without configuration inside ADFS ?

 

Hope is stated clear for you otherwise ask me anytime.

 

Cheers

Ueli

Hello Ueli,

 

As per your requirement :- 

 

1. Only use MFA if it is outside of Corpnet

- For this feature you have to add the IP address range of your enterprise in the MFA trusted IP's range option :-

 

Untitled.png

 

2. Only use MFA for SharePoint Online SaaS and for nothing else.

- I am not sure if there is a way where in we have implemented a policy for sharepoint and it doesn't impact onedrive. This is something which you can check by creating a test policy.

For saas applications added to your tenant, yes you can implement MFA and that too application specific. 

 

3. Only use if connected via Browser (not for OneDrive fat client or so ever)

While creating conditional access policy you get an option where in you can use the application type.

 

Untitled.png

 

Regards,

Rishabh

 


@Ueli Zimmermann wrote:

Thanks Rishabh,

 

So basically what would you recommend me if i actually don't want depend to much on ADFS and ADFS Claim Rules but would rather like to use native Conditional Access with Azure MFA ? still have ADFS in place as we are not able to remove it right away (maybe in the future i would like to go PTA and Seamless SSO) but that can go a while.

 

I still need the following covered:

 

1. Only use MFA if it is outside of Corpnet

2. Only use MFA for SharePoint Online SaaS and for nothing else

3. Only use if connected via Browser (not for OneDrive fat client or so ever)

 

BTW: This is basically because we want to rollout this package just for SharePoint Collab right now and not for anything else. Later we probably will go with Hybrid AD Join and Intune and for this step im than able to use Device Based Conditional Access which makes it even more easier.

 

But again regarding the above 3 Requirements what would you suggest ? is this possible without ADFS Claims or do we need still the ADFS Claims ? and do i need than ADFS to connect to MFA Provider like AzureMFA or can i use the claim rules without using ADFS driven MFA and just use again Azure MFA without configuration inside ADFS ?

 

Hope is stated clear for you otherwise ask me anytime.

 

Cheers

Ueli



Hello Ueli,

 

As per your requirement :- 

 

1. Only use MFA if it is outside of Corpnet

- For this feature you have to add the IP address range of your enterprise in the MFA trusted IP's range option :-

 

Untitled.png

 

2. Only use MFA for SharePoint Online SaaS and for nothing else.

- I am not sure if there is a way where in we have implemented a policy for sharepoint and it doesn't impact onedrive. This is something which you can check by creating a test policy.

For saas applications added to your tenant, yes you can implement MFA and that too application specific. 

 

3. Only use if connected via Browser (not for OneDrive fat client or so ever)

While creating conditional access policy you get an option where in you can use the application type.

 

Untitled.png

 

Regards,

Rishabh

 

Thank you Rishabh,

 

I have verified this Options as well within Conditional Access. I will check further if there was still a configuration issue on my end or if this is correct and somewhere else is the mistake.

I did configure this exactly the Way you mentioned but somehow it seems to be not apply.

 

Anyway i feel confident now that i understood the Process and how it should work so the issue must be somewhere around in my environment 🙂 will find it.

 

Thanks again and regards

Ueli

Hi Rishabh,

 

After a while of troubleshooting i finally found the Issue.

If i choose Exclude "All trusted locations" the Rule seems not to work.

If i choose Exclude "Selected locations" and use MFA Trusted IPs for example, the Conditional Access Rule will work without further need to configure anything on ADFS like you said.

 

Did anybody has the same Situation / Issue ?

 

Cheers

Ueli

I also found out two more things.

 

A) It seems that a lot of the O365 Apps are somehow integrated with SharePoint.

For Example if i just activate this Rule for SharePoint Online and only  through Browser, i also have to authenticate if i want to open Word, Excel, PowerPoint, Teams, Planner etc etc. Only Yammer and some other Apps are not related to SharePoint as it seems. If i connect to Teams via Fat-Client it works without MFA as intended.  Strange though that most of these Apps are SharePoint related. It also does not help if you make exclusions for let say Teams etc. 

 

B) If enforcing MFA through Conditional Access the User does not get the Benefit of registering and using the Authenticator App on the Mobile Phone. It only reveals the Option for Phone Call and SMS even though if you would fully Deploy MFA for the User the Authenticator Method is configurable and activated on our Tenant… Seems the registration Process for Conditional Access based Auth is different (like Self Service Password Reset)   This is very sad 😞

 

 

Sorry Point B is solved i must got carried away by testing so much, so i missed the option is actually available. Still regarding SSPR i think its still not available there.

 

Hey Ueli,

 

Thanks, but I didn't get the below mentioned statement.

"Still regarding SSPR i think its still not available there."

 

Regards,

Rishabh

That was just a comment based on SSPR (Self Service Password Reset) Feature. 

So far this does not allow Authenticator App. At least it was when i checked last time couple of Days ago.