ADFS Multifactor Authentication – Not Good for Office 365

Continuing down the road for implementing ADFS Multi-factor Authentication (MFA) using PKI I have come across a few issues and a major show stopper when implementing this for Office 365 services. I wanted to share my experience so that this you can avoid the same pain as I have been through.

To clarify this I have been using ADFS 3.0 with certificate MFA and not Azure MFA.

You can read my other blog post about how to set this up here: https://markvale.wordpress.com/2015/05/12/multi-factor-authentication-mfa-using-adfs-3-0-and-certificates/

However, be careful. While this works for passive authentication applications such as Outlook Web Access, Browser access and Outlook Anywhere you will find issues with applications that use active authentication. These applications are Lync mobile app and active sync. These apps and services are not passive authentication capable in the context of Office 365.

To understand what passive and active authentication is I will include a brief explanation

Passive Authentication

Passive Authentication is where the application redirects the user from the application login page to the ADFS web page to perform authentication. Once you have authenticated with ADFS you are redirected back from ADFS to the application you want to use.

Active Authentication

Active Authentication is where you enter your login credentials directly in the application and then the application requests authentication from your ADFS servers on your behalf using the credentials you entered in the app login page. This way ADFS login is transparent to the user.

It is the active authentication process that is the issue when trying to use ADFS MFA.

So why is this a show stopper for Office 365? The problem arises when you try and use mobile devices to access Office 365 content. You are able to use the browser to access the majority of Office 365 services but some require applications installed on the device. Specifically Active sync and Lync Mobile.

With active sync it is not possible to use certificate based MFA with this service. You can get around this by modifying the ADFS authentication rule that will bypass MFA if Active sync is present in the claim. I am not going to disclose the code for this because I believe this whole solution is flawed and not fit for enterprise purposes.

The main issue is the Lync app. This performs active authentication by default. If you have Lync on premise then you can configure Lync to allow passive authentication and MFA in this instance will work. However, If you are using Lync Online then it is not possible to configure the Online tenant to support passive authentication. Deeper into this it is also not possible to achieve this with a hybrid setup either. It also appears that you cannot do claim rules to filter out Lync services to Lync online, not that I have found yet anyway.

The same problem is present when trying to use the Outlook Web App from the app stores. It appears that this also uses active authentication.

So this post is more of a warning and food for thought than a solution. If you have a way around this I would be happy to hear your thoughts? But for now I am stumped and believe if you want MFA for Office 365 then the answer here is use Azure MFA!

17 thoughts on “ADFS Multifactor Authentication – Not Good for Office 365

  1. Hi Mark,

    Does Skype For Business Online ( Office 365) running on Windows 7/8.1 support MFA ( Client Certificate) and ADFS ?

    Regards,

    Zoran

    Like

    1. Hi Zoran

      Thanks for getting in touch. Unfortunately Skype for Business Online does not support passive authentication which is the crux of the matter when trying to use certificate based MFA. You can make the on premises version do this and MFA works well. The problem extends into the OneDrive application too in that also OD for business back end doesn’t support passive authentication. It’s a shame since the client apps themselves do! Perhaps this will come but I’ve checked the roadmap and as yet not seen it planned. My advice if you want MFA for Office 365 use Azure MFA its now free.

      Thanks

      Mark

      Like

      1. The problem with the Azure MFA is that it REQUIRES the stupid app password if you enable it. So all 20,000 of our users would have to rememeber some 16 digit randomly generated code (that the helpdesk cannot reset) if they wanted to configure outlook or lync. Stupid. Because of this we are trying to implemented ADFS 3.0 and MFA and running into the same issues described in this blog.

        Mark, is there any way you could send me the code for the claims rule that wil allow activesync connections to bypass MFA on the ADFS server? We are stuck. I’m not too big to beg at this point🙂.

        Like

      2. Hi
        Yep couldn’t agree more, but it has been suggested that in Server 2016 (confirmed name now) that ADFS MFA should be possible with Office 365. But we will wait and see. The code I used I didn’t copy down the whole thing, just the first bit and then edited on the fly in ADFS PS. Was running out of time. But as a starter for 10 it should be something like this:

        $rp = Get-AdfsRelyingPartyTrust –Name "Microsoft Office 365 Identity Platform"
        Set-AdfsRelyingPartyTrust –TargetRelyingParty $rp –AdditionalAuthenticationRules ‘c: ([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == ""] && [Type ==  "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false" && "http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser", Value == "false",]) && NOT EXISTS ([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application",Value=="Microsoft.Exchange.Autodiscover" && Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value=="Microsoft.Exchange.ActiveSync"]) => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");’

        Basically this translates in English to
        If (User is a member of this security group AND is NOT coming from a source internal to the network AND is not a registered user AND Autodiscover OR ActiveSync is not present in the claim){
        Request MFA
        else{
        Do Not request MFA
        }

        Hopefully this will get you closer to your goal. In the end I binned the whole ADFS MFA concept and admitted defeat because it just caused so many problems.

        Like

      3. Thank you so much for your response, I really appreciate it. So I have seen similiar code and spent several hours trying to get it to run. I was hoping this might be something I havent seen or tried because when I try to run this or similiar code, I get the following error in powershell:

        Set-AdfsRelyingPartyTrust : ADMIN0031: Configuring multiple policies of type ‘Authorization’ is not supported.
        At C:\Users\USER\Documents\Untitled1.ps1:3 char:1
        + Set-AdfsRelyingPartyTrust –TargetRelyingParty $rp –AdditionalAuthenticationRules …
        + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo : NotSpecified: (Microsoft.Ident…lyingPartyTrust:RelyingPartyTrust) [Set-AdfsRelyingPartyTrust], InvalidDataException
        + FullyQualifiedErrorId : ADMIN0031,Microsoft.IdentityServer.Management.Commands.SetRelyingPartyTrustCommand

        I cannot find anything on that error. I’ve removed all global policy settings thinking that was it but still I get that error. This was the code I was running originally when I got the error:

        $rp = Get-AdfsRelyingPartyTrust -name ‘Microsoft Office 365 Identity Platform’
        $mfaClaimRule = ‘c:[Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path”, Value =~ “(/adfs/ls)|(/adfs/oauth2)”] => issue(Type = “http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod”, Value = “http://schemas.microsoft.com/claims/multipleauthn”);’
        Set-AdfsRelyingPartyTrust –TargetRelyingParty $rp –AdditionalAuthenticationRules $mfaClaimRule

        Like

      4. Hi

        So quickly testing the rule I have

        Set-AdfsRelyingPartyTrust –TargetRelyingParty $rp –AdditionalAuthenticationRules 'exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value=="Microsoft.Exchange.Autodiscover"]) && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value=="Microsoft.Exchange.ActiveSync"]) => issue (Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");'

        this should exempt active sync from MFA but request MFA for everything else.

        thanks

        Like

  2. so my issue was that I never restarted the adfs service after I removed all my global adfs polices. Those policies were overriding the ones I set directly on the party trust via powershell. Once I restarted the service, then the powershell command took. Using this rule, we can allow ALL traffic, lync, outlook and activesync to pass through and only require multifactor for web based traffic:

    $rp = Get-AdfsRelyingPartyTrust -name ‘Microsoft Office 365 Identity Platform’
    $mfaClaimRule = ‘c:[Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path”,
    Value =~ “(/adfs/ls)|(/adfs/oauth2)”] => issue(Type = “http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod”,
    Value = “http://schemas.microsoft.com/claims/multipleauthn”);’
    Set-AdfsRelyingPartyTrust –TargetRelyingParty $rp –AdditionalAuthenticationRules $mfaClaimRule

    This works perfect for us. Hopefully this helps others.

    Liked by 1 person

  3. Hi there, thanks very much all for this useful information! I am having the same problem with the error:

    Configuring multiple policies of type ‘Authorization’ is not supported.

    I have cleared out all of the Global Policy settings under the MFA tab, and restarted the ADFS service but it still won’t apply. Richard, I was wondering if you could confirm which settings you unchecked to allow the custom rules to take?

    The rule I am running is configured to require MFA for all external browser based access to Office 365 for users in a particular group and looks like this:

    set-AdfsRelyingPartyTrust -TargetRelyingParty $rpt –additionalauthenticationrules ‘[Type == “http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork”, Value == “false”] && [Type == “http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid”, Value == “S-1-5-21-3388933763-2387696048-3050347461-86618”] && [Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path”, Value = “(/adfs/ls)|(/adfs/oauth2)”] => issue(Type = “http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod”, Value = “http://schemas.microsoft.com/claims/multipleauthn”);’

    Thanks in advance!

    Like

    1. You must make sure no policies at all are set at the global level if you are going to use custom policies..Make sure everything is uncheck and restart adfs serive if any changes are made then try it again please.

      Like

    2. Hi,

      Have you resolved this problem with “Configuring multiple policies of type ‘Authorization’ is not supported” error?
      I have the same issue.

      Thank you

      Like

      1. I have no Global Policies set but I do have Primary Authentication Methods checked and Certificate Authentication checked a method of additional authentication. I would presume this is valid?

        Like

  4. can anyone assist in how you overwrite or remove additional rules?
    I have tried

    Set-ADFSAdditionalAuthenticationRules $null

    and

    Set-AdfsRelyingPartyTrust -TargetRelyingParty $rp -AdditionalAuthenticationRules “”
    but to no effect?

    Like

  5. you need to use the Get Command first
    $Rp = Get-AdfsRelyingPartyTrust -name “Microsoft Office 365 Identity Platform”
    Set-AdfsRelyingPartyTrust -TargetRelyingParty $rp -AdditionalAuthenticationRules ”

    Like

    1. thanks, I found that there was an issue with the Office 365 Relying Trust. I had to remove it and re add it to get rules working correctly.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s