365 MFA ADFS Bypass

Copper Contributor

Hi all.

 

Require some advice please - 365 hybrid to adfs4.0.  Looking to turn on MFA for users, although require to bypass all mobile and skype - also dont mfa on internal.

Can anyone assist with the correct rules we require for the adfs server please ? 

 

Many thanks 

4 Replies

That's what Claims rules are for. I have few examples here: http://www.enowsoftware.com/solutions-engine/ad-fs-claims-rules-and-modern-authentication

 

You can find more in the official documentation.

Thanks, it is that i am after assistance with

Does the order take priority ?

 

Basically i require something that does not enforce mfa for skype, activesync, not all users at the moment are mfa, everything i been looking at enforces mfa unless it matches X 

There are many example rules that do that, just look at the documentation. For example, this article:https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/access-control-policies-w2...

 

And here's a sample rule we used with one of my customers back in the day: 

 

NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip", Value =~ "insert_list_of_IP_addresses_here"])

 && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value == "/adfs/ls/"])

 && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value == "Microsoft.Exchange.ActiveSync"])

 && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent", Value =~ "lync|ucmapi|WLMHttpTransport|Lync"])

 => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");

@Vasil Michev Hi Vasil, is there a way to bypass MFA (3rd party) only for Intune and for rest of the M365 apps (SharePoint, Teams etc.) it works in a normal way. If yes, can please provide an example for claim rules for the same. Thanks.