3

We setup Office 365 with our RSA keys, and we are looking to exempt our mobile devices and outlook from MFA for now. From what I understand we have to form a custom issuance transform AD FS claim rule. I have tried creating one, without success:

c:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"]
 && [Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value =~ "(/adfs/ls)|(/adfs/oauth2)"]
 => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");

Does anyone have any ideas on the correct way to do this?

David Eisen
  • 643
  • 5
  • 21

2 Answers2

4

Figured it out. Pretty straight forward actually. So heres the deal:

You must first disable your global settings or at least those affecting how they set it. Make sure you still select your MFA provider (such as RSA or Cert), but don't fill anything else in.

Then go to Run As Administrator PowerShell.

Enter this command: 

Set-AdfsAdditionalAuthenticationRule -AdditionalAuthenticationRules 'c:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value =~ "(/adfs/ls)|(/adfs/oauth2)"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");'

Wbat this does is tell it, that if it is at a endpoint that is prompting for adfs or oauth2, then go ahead and enable MFA. Since MFA is not globally enabled anywhere else, it is essentially completes what I requested in this thread. I had to restart AD FS to get it to go into effect. While it is not the cleanest solution in the world it works.

Check out this article for other instructions and useful commands: http://blogs.msdn.com/b/ramical/archive/2014/01/30/under-the-hood-tour-on-multi-factor-authentication-in-ad-fs-part-1-policy.aspx

David Eisen
  • 643
  • 5
  • 21
-1

You have to type the command manually in Powershell. I also got all sorts of error messages when I copy/paste it in Powershell. Manually goes well.

c:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"]
 && [Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value =~ "(/adfs/ls)|(/adfs/oauth2)"]
 => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");
Arend van Dijk
  • 1