The Xello team often comes across scenarios (rightly or wrongly) where Multi-Factor Authentication (MFA) needs to be bypassed for one reason or another. By far the most common scenario we hear from our customers is legacy Exchange Online ActiveSync clients in a Hybrid Exchange scenario. We could ramble for hours as to why this occurs, but in summary, Microsoft Office 365 uses Modern Authentication and ActiveSync does not currently support it.
To use ActiveSync in this unique instance, you would need an app password... in short, not preferable at all!
There's a lot of information (most of it correct, some of it not) on how to bypass MFA for a specific application in Office 365 using Conditional Access, Active Directory Federation Services (ADFS) or a combination of both, but we'll deal with the most common scenario we come across which is ActiveSync.
Before you start this method, a federated Office 365 tenant with on-premise ADFS is required.
How does MFA actually work?
MFA is usually triggered for users when they're accessing resources from outside the corporate network.
How does Office 365 know whether or not a user is outside the corporate network? It uses two distinct methods:
- It looks at the Trusted IP Addresses in the MFA Portal.
- In the case of ADFS, it looks for a specific claim that's issued by default when a user is authenticated by the internal farm server, as opposed to the Web Application Proxy.
Using Trusted IPs is not an option, as we never know where a phone might be - so its down to ADFS.
The claim in question is the "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork" which we can add to a custom rule. The other half lies in the "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application" claim that can be used to filter specific behaviour depending on the Office 365 Client application accessing the service. You can find more details on this here.
We'll be using this claim in the custom rule to identify traffic ActiveSync only to ensure that all other applications that support MFA are not affected.
How do I bypass MFA for ActiveSync?
Refer to our easy-to-follow steps below.
- Logon to you ADFS Farm Server and open the ADFS Management Console.
- Locate the 'Microsoft Office 365 Identity Platform' relying party trust, right click it and select 'Edit claims rules'.
- Click Add and name the claims rule (I've gone with Bypass MFA - Exchange Online ActiveSync).
- From the drop-down list select 'Custom Claims Rule' and paste the following information into the rule field:
exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value == "Microsoft.Exchange.ActiveSync"])
=> issue(Type = "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value = "true");
So, how does this work?
The client x-ms-client-application claim value identifies the type of client and service and, if it finds a match for Microsoft.Exchange.ActiveSync issues inside corporate network claim.
This essentially tricks the Azure AD relying party into believing that the incoming claim has been sent from the Intranet as opposed to the internet.
While there are several other documented ways to accomplish this (which each come with benefits and trade-offs) this the most reliable method we’ve found for bypassing MFA for a specific application for customers that use ADFS.
Have any other questions? Don't be shy - reach out to the team at Xello for a more detailed walkthrough.