Excluding Skype for Business from ADFS MFA

When you want to use Skype for Business Online, but are using an on premises ADFS implementation and require MFA for all logins, Skype for Business will fail to authenticate. It cannot handle the ADFS Multi-Factor challenge because MFA is not yet supported for Office 365 Online Skype for Business tenants.

To exempt Skype for Business from your ADFS RPT, use the following claims rule


$rp = Get-AdfsRelyingPartyTrust -name "Microsoft Office 365 Identity Platform"

Set-AdfsRelyingPartyTrust –TargetRelyingParty $rp –AdditionalAuthenticationRules 'NOT EXISTS([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent", Value =~ "(?i)skype"]) && NOT EXISTS([Type=="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent", Value =~ "(?i)ACOMO"]) && NOT EXISTS([Type=="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent", Value =~ "(?i)lync"]) => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");'

*With thanks to the IT team at NHTV 😉

17
Leave a Reply

avatar
8 Comment threads
9 Thread replies
6 Followers
 
Most reacted comment
Hottest comment thread
10 Comment authors
Lauren TennentvulkoekJosAhmed IbrahimMick Recent comment authors

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
newest oldest most voted
Notify of
Marco Bogers
Guest

It seems the mobile apps for S4B are using different app names in their claims to ADFS.

S4B for IOS uses Lync Mobile as app name (which is excluded by the rule to exlude claims containing ‘lync’ ).

However, S4B for Android seems to be using a completely different app name, ‘ACOMO’.

To exclude S4B for Android to be redirected to on-premise MFA as well, include the following rule in your RPT as well:

NOT EXISTS([Type==”http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent“, Value =~ “(?i)ACOMO”])

Lauren Tennent
Guest
Lauren Tennent

Is it possible to exclude MFA on a certain mail SMTP address using a claims rule?
We are able to send from a proxy address in our organisation using an SMTP tool but MFA is interfering. We want to be able to apply MFA to the primary user mailbox but exclude MFA when they are sending mail from the proxy address.
Any ideas?

vulkoek
Guest
vulkoek

Unfortunately this did not work for me, Skype for Business still did not login like I expected. It did break my Relying Trust Authentication Rule to a point where it can’t be managed using the AD FS management console. Also by using the script above all current AdditionalAuthenticationRules will be deleted.

Reverted back to default using: Set-AdfsRelyingPartyTrust –TargetRelyingParty $rp –AdditionalAuthenticationRules ”

I still get “We can’t connect to the server to sign you in. Please ask your admin to check the issuance authorization rule in the active directory.”. When I disable MFA on ADFS, everything works fine. Any idea’s ?

Ahmed Ibrahim
Guest
Ahmed Ibrahim

I tried the above command and it is working fine with SfB client whatever on desktop or mobile devices.

I tried to sign in with Polycom VVX 410 but I couldn’t login as expected because the client user agent is different, can you help me and tell me how can I get the correct client user agent to it.

PS: I tried to add Polycom and OCPhone but no to avail.

Mick
Guest
Mick

we can’t enabled modern auth yet. we have ADFS with internal IP restrictions; but with claims to support mobile devices. Skype for Business ios Client can connect to on-prem lync ok – but S4B clients connection to 365 for EWS to support calendar sync stops. can the claim rule be adjusted for this?

Rene
Guest

Can you give an example how to exclude mail/skype from Windows/Android/IOS phones as the native Phone Apps don’t support 2FA from on-premise 2FA. (Reference: https://blog.kloud.com.au/2016/06/03/azure-multi-factor-authentication-mfa-cheat-sheet/) And with ADFS and on-premise Microsoft Autheticator Server, app passwords are not available….

Marian Danisek
Guest
Marian Danisek

We have users in Skype for business online ( with modern auth enabled ) and Office 365 MFA enabled. We have ADFS server which handle authentication process.
By entering that rule / code above in ADFS i will exclude Skype clients from MFA ?
Will this work as well on mobile clients ( ios , android ) ?

Isn’t there typo error in rule – “authenticationmetho” ?

Thank in advance

Michael Griffith
Guest
Michael Griffith

How does this change affect address book and calendar integration with Outlook?