Custom AD FS Rule for Office 365 MFA ActiveSync Exemption

adfsmicrosoft-office-365windows-server-2012-r2

We setup Office 365 with our RSA keys, and we are looking to exempt our mobile devices and outlook from MFA for now. From what I understand we have to form a custom issuance transform AD FS claim rule. I have tried creating one, without success:

c:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"]
 && [Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value =~ "(/adfs/ls)|(/adfs/oauth2)"]
 => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");

Does anyone have any ideas on the correct way to do this?

Best Answer

Figured it out. Pretty straight forward actually. So heres the deal:

You must first disable your global settings or at least those affecting how they set it. Make sure you still select your MFA provider (such as RSA or Cert), but don't fill anything else in.

Then go to Run As Administrator PowerShell.

Enter this command:

Set-AdfsAdditionalAuthenticationRule -AdditionalAuthenticationRules 'c:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value =~ "(/adfs/ls)|(/adfs/oauth2)"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");'

Wbat this does is tell it, that if it is at a endpoint that is prompting for adfs or oauth2, then go ahead and enable MFA. Since MFA is not globally enabled anywhere else, it is essentially completes what I requested in this thread. I had to restart AD FS to get it to go into effect. While it is not the cleanest solution in the world it works.

Check out this article for other instructions and useful commands: http://blogs.msdn.com/b/ramical/archive/2014/01/30/under-the-hood-tour-on-multi-factor-authentication-in-ad-fs-part-1-policy.aspx

Related Solutions

How to get Subject from client certificate issued as a claim in ADFS

I solved this by tweaking the [AdfsConfiguration].[IdentityServerPolicy].[Policies] table in the ADFS configuration database. There's a record that covers the inbound claims. On my database it's ID '88EDF726-83FA-E511-80C5-000D3AB14473' though I don't know if they're constant values or vary by deployment. You can tell which one it is as it's quite long and has the cert eku claim in.

I modified it to include the following rule:

@RuleTemplate = "PassThroughClaims"
@RuleName = "Pass through certificate Subject claim"
c:[Type == "http://schemas.microsoft.com/2012/12/certificatecontext/field/subject", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"]
 => issue(claim = c);

Office 365 ADFS authentication not working for child domains

The issue is very scarcely documented (a Technet blog post and some documentation for Azure AD), but it indeed exists, and it's caused by ADFS not behaving correctly in certain specific situations (multiple top-level federated domains and throwing federated child domains in the mix); the solution involves editing a regular expression in an ADFS claim rule which is used to build the IssuerUri associated with the user's UPN. Quoting from the second article:

So lets say for example that I have bmcontoso.com and then add
corp.bmcontoso.com. This means that the IssuerUri for a user from
corp.bmcontoso.com will need to be http://bmcontoso.com/adfs/services/trust.
However the standard rule implemented above for Azure AD, will generate a
token with an issuer as http://corp.bmcontoso.com/adfs/services/trust
which will not match the domain's required value and authentication will fail.

To solve the issue, the third claim rule in ADFS should be edited, going from

c:[Type == "http://schemas.xmlsoap.org/claims/UPN"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value = regexreplace(c.Value, ".+@(?<domain>.+)","http://${domain}/adfs/services/trust/"));

c:[Type == "http://schemas.xmlsoap.org/claims/UPN"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value = regexreplace(c.Value, "^((.*)([.|@]))?(?<domain>[^.]*[.].*)$", "http://${domain}/adfs/services/trust/"));

However, beware that this might break compatibility with other scenarios, such as an actual third-level federated domain whose parent domain is not federated.

Best Answer

Related Solutions

How to get Subject from client certificate issued as a claim in ADFS

Office 365 ADFS authentication not working for child domains

Related Topic