Forum Discussion
365 MFA ADFS Bypass
Hi all.
Require some advice please - 365 hybrid to adfs4.0. Looking to turn on MFA for users, although require to bypass all mobile and skype - also dont mfa on internal.
Can anyone assist with the correct rules we require for the adfs server please ?
Many thanks
4 Replies
That's what Claims rules are for. I have few examples here: http://www.enowsoftware.com/solutions-engine/ad-fs-claims-rules-and-modern-authentication
You can find more in the official documentation.
Thanks, it is that i am after assistance with
Does the order take priority ?
Basically i require something that does not enforce mfa for skype, activesync, not all users at the moment are mfa, everything i been looking at enforces mfa unless it matches X
There are many example rules that do that, just look at the documentation. For example, this article:https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/access-control-policies-w2k12
And here's a sample rule we used with one of my customers back in the day:
NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip", Value =~ "insert_list_of_IP_addresses_here"]) && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value == "/adfs/ls/"]) && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value == "Microsoft.Exchange.ActiveSync"]) && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent", Value =~ "lync|ucmapi|WLMHttpTransport|Lync"]) => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");
