Azure Multi Factor Authentication (MFA) is a great service that has been included in Office 365 for almost 2,5 years. The adoption has really been great – at least from an admin user perspective where 99% of my customers admins have it enabled (I usually force them).
From an end user perspective we have more technical and informational challenges, which means that the adoption has not been as great as on the admin side. Hopefully the new shiny Conditional access policies for specific workloads will boost the adoption a bit.
The purpose of this post is to share the most common questions I get from customers about using Azure MFA included in Office 365 (in most cases in combination with ADFS).
Q: Can we pre-stage the MFA authentication methods so the end user doesn’t have to enroll after being enabled for MFA?
A: As of now, unfortunately no – I tried to build a PowerShell function to pre-populate the authentication methods if the user already had a mobile phone number. I was fooled and thought it worked, but when I tried on a user that never had enrolled MFA before, it failed. Troubleshooting further, the required MFA property “StrongAuthenticationUserDetails” is not possible to pre-populate programmaticly, yet. Maybe the new AzureAD module can help here in the future.
Conclusion – we have to instruct our users to enroll for MFA.
Q: Can we prevent MFA from kicking in when authenticating from our internal network?
A: Absolutely – There are some options depending on if you have Azure AD Premium or not.
With Azure AD Premium
Here you can choose to “white list” your external IP addresses (which of course works with or without ADFS), or check the “Skip multi-factor authentication for requests from federated users on my intranet” checkbox. This will make Azure AD decide about MFA based on the insidecorporatenetwork claims issued by your own ADFS.
The following PowerShell rows will add the required Issuance Transform Rules to your Azure AD RP.
$ByPassMFAClaims = @"
@RuleName = "Passtrough - InsideCorporateNetwork"
c:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork"]
=> issue(claim = c);
@RuleName = "Passtrough - PSSO"
c:[Type == "http://schemas.microsoft.com/2014/03/psso"]
=> issue(claim = c);
"@
$AzureADRP = Get-AdfsRelyingPartyTrust -Name "Microsoft Office 365 Identity Platform"
Set-AdfsRelyingPartyTrust -TargetName $AzureADRP.Name `
-IssuanceTransformRules ($AzureADRP.IssuanceTransformRules + $ByPassMFAClaims)
Without Azure AD Premium
Without Azure AD Premium we don’t have the same choices in service settings.
We can however achieve the same result, but instead of passing through the insidecorporatenetwork claims, we use it in ADFS and “tell” Azure AD that MFA is already taken care of. This can be done with the claim rules as below.
$ByPassMFAClaims = @"
@RuleName = "Bypass MFA from inside - Without Azure AD Premium"
EXISTS([Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "true"])
=> issue(Type = "http://schemas.microsoft.com/claims/authnmethodsreferences", Value = "http://schemas.microsoft.com/claims/multipleauthn");
@RuleName = "Passtrough - PSSO"
c:[Type == "http://schemas.microsoft.com/2014/03/psso"]
=> issue(claim = c);
"@
$AzureADRP = Get-AdfsRelyingPartyTrust -Name "Microsoft Office 365 Identity Platform"
Set-AdfsRelyingPartyTrust -TargetName $AzureADRP.Name `
-IssuanceTransformRules ($AzureADRP.IssuanceTransformRules + $ByPassMFAClaims)
Q: Do we really need to use the f****** app passwords?
A: Not really anymore, at least not if you are using ADFS. I usually turn it off.
First of all most rich clients (Including Outlook/SfB on mobile devices) do now support Modern Authentication (ADAL), which means they can handle MFA out of the box. So as long as you have updated clients, you most often only need to handle ActiveSync (native mail clients in all kinds of devices). My approach here is usually to exclude them from MFA to get rid of the app password need, but enable conditional access in order to control the devices.
Below you find a claims rule for the ActiveSync protocol that issues the multipleauthn claim which Azure AD will honor by skipping MFA for the request.
$Claims = @"
@Claims= "Bypass MFA for ActiveSync"
EXISTS([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value=="/adfs/services/trust/2005/usernamemixed"]) &&
EXISTS([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value =~"^(Microsoft.Exchange.(Autodiscover|ActiveSync))$"])
=> Issue(Type = "http://schemas.microsoft.com/claims/authnmethodsreferences", Value = "http://schemas.microsoft.com/claims/multipleauthn");
"@
$AzureADRP = Get-AdfsRelyingPartyTrust -Name "Microsoft Office 365 Identity Platform"
Set-AdfsRelyingPartyTrust -TargetName $AzureADRP.Name `
-IssuanceTransformRules ($AzureADRP.IssuanceTransformRules + $Claims)
Please note that additional rules may be needed depending on if you have an Exchange or Skype for Business Hybrid environment.
Q: Can we combine Azure MFA with our already implemented on-premises MFA solution?
A: It works fine to combine Azure MFA with any MFA solution that integrates with ADFS. The only thing you need to do is issue the authnmethodsreferences on the Azure AD RP to prevent users from getting “Double MFA” like SmartCard + Azure MFA. 🙂 For example, if I have Cert Auth as an enabled MFA provider as below, I only have to authenticate with my VSM/SmartCard even if MFA is enabled on the user.
The needed claims rule looks like this:
$Claims= @"
@RuleName = "Passthrough - MFA"
c:[Type == "http://schemas.microsoft.com/claims/authnmethodsreferences"]
=> issue(claim = c);
"@
$AzureADRP = Get-AdfsRelyingPartyTrust -Name "Microsoft Office 365 Identity Platform"
Set-AdfsRelyingPartyTrust -TargetName $AzureADRP.Name `
-IssuanceTransformRules ($AzureADRP.IssuanceTransformRules + $Claims)
The above also works with the new Conditional Access policies for Exchange and SharePoint online.
Wrap up
Hopefully this post has given you some good insights what to think about implementing Azure MFA for Office 365. It is not a complete walk in the park, but it’s definately doable for most organizations.
As always, there are lots of if’s and but’s in all different environments. If I have missed something or if you have other, more specific questions, let me know!
/Johan
Tailspintoys - 365lab.net 
I think our biggest challenge with using MFA on the admin side is the lack of universal support in the PowerShell modules. Seems like it is getting better with some of the beta releases but it’s still messy if you need access to Azure AD, Exchange Online, SharePoint Online, etc. Not all of them support MFA in the shell.
I have a new ADFS 4.0 farm setup for O365 (using O365 MFA) and have run into quite the issue that O365 support seems to be having troubles with as well. When I setup the claim rules like you have shown to only require MFA for extranet authentication it breaks my external login (internal logins succeed with no MFA prompt after the claims rule is setup).
You will go to portal.office.com and it will redirect you with the UPN you typed in. You can then authenticate with user+pass. While still at the redirected (ADFS) portal it then says that it wants more information (MFA title) but displays an error where it would typically display “Sending code to phone…”. The error that is logged is one that I haven’t found in relation to MFA, O365, and ADFS. If the claim rules that you have listed above aren’t configured it simply redirects me to O365’s portal to do MFA which works just fine.
_____________________________________________________________
Encountered error during federation passive request.
Additional Data
Protocol Name:
wsfed
Relying Party:
urn:federation:MicrosoftOnline
Exception details:
System.Exception: Exception calling SAS. —> System.NullReferenceException: Object reference not set to an instance of an object.
at Microsoft.IdentityServer.Adapter.AzureMfa.AuthenticationAdapter.IsAvailableForUser(Claim identityClaim, IAuthenticationContext context)
— End of inner exception stack trace —
at Microsoft.IdentityServer.Adapter.AzureMfa.AuthenticationAdapter.IsAvailableForUser(Claim identityClaim, IAuthenticationContext context)
at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.ProcessContext(ProtocolContext context, IAuthenticationContext authContext, IAccountStoreUserData userData)
at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.Authentication.AuthenticationOptionsHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
System.NullReferenceException: Object reference not set to an instance of an object.
at Microsoft.IdentityServer.Adapter.AzureMfa.AuthenticationAdapter.IsAvailableForUser(Claim identityClaim, IAuthenticationContext context)
_______________________________________________________________
Have you run into this before?
I have exactley the same issue – by any chance did you get around to resolving it? Literally at wits end even understanding the cause.
Had the same issue, re-running all the steps to connect ADFS to Azure worked for me
The bypass MFA for intranet works great except if an internal user tries to set up MFA ahead of time by going to https://aka.ms/MFASetup, it just gets stuck in a loop. Any ideas on this? I guess I need to allow MFA for a particular destination?
Hi David,
Great that it works! I’ve seen that issue before – try to implement the other bypass method (Without Azure AD Premium) that issues the multipleauthn-claims instead and see if that solves the problem.
Let me know the result! 🙂
/Johan
I don’t have Azure AD Premium, so I was actually using that excellent claims rule. It is unusual in that it only gets stuck in that loop if MFA is not yet enabled. If MFA is enabled, then the user can get through fine. We are planning on rolling this out and liked the idea of getting the user to setup and test first before we actually lock down their account. If we remove that claims rule or if the user is outside of the network, that part of the process works. Not a deal breaker, but it just makes it harder to give users advance prep time. I also wonder how someone even learns about how to formulate a claims rule, I’ll have to search for documentation.
Hi, Thanks for the nice article!
I am using Azure MFA with a federated domain and hybrid Exchange 2013 / Exchange Online and Hybrid Lync 2013 / SfB. Adal is working for Outlook 2016 and Outlook 2013. But cannot get ActiveSync to work. I implemented the “Bypass MFA for ActiveSync” on local ADFS server. You mention additional Claim rules are required for Hybrid Scenario, Can you elaborate on that? Or suggest how to get this working?
Is it possible that users for which we enabled MFA don’t have to setup MFA when they are inside our trusted network? MFA is not required because we have configured trusted ipaddresses and we have enabled “Skip multi-factor authentication for requests from federated users on my intranet” so that MFA is not required.