When you want to use Skype for Business Online, but are using an on premises ADFS implementation and require MFA for all logins, Skype for Business will fail to authenticate. It cannot handle the ADFS Multi-Factor challenge because MFA is not yet supported for Office 365 Online Skype for Business tenants.
To exempt Skype for Business from your ADFS RPT, use the following claims rule
$rp = Get-AdfsRelyingPartyTrust -name "Microsoft Office 365 Identity Platform" Set-AdfsRelyingPartyTrust –TargetRelyingParty $rp –AdditionalAuthenticationRules 'NOT EXISTS([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent", Value =~ "(?i)skype"]) && NOT EXISTS([Type=="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent", Value =~ "(?i)ACOMO"]) && NOT EXISTS([Type=="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent", Value =~ "(?i)lync"]) => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");'
*With thanks to the IT team at NHTV 😉
It seems the mobile apps for S4B are using different app names in their claims to ADFS.
S4B for IOS uses Lync Mobile as app name (which is excluded by the rule to exlude claims containing ‘lync’ ).
However, S4B for Android seems to be using a completely different app name, ‘ACOMO’.
To exclude S4B for Android to be redirected to on-premise MFA as well, include the following rule in your RPT as well:
NOT EXISTS([Type==”http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent”, Value =~ “(?i)ACOMO”])
Hi,
We are using ADFS as an user authentication and all our O365 authentication happens via ADFS. We want all users to allow access to Teams from everywhere and block other apps except white-listed IP under ADFS. is it doable ? if yes, how?
Thanks in Advance for your help 🙂
Does enabling modern auth fix this now?
Is it possible to exclude MFA on a certain mail SMTP address using a claims rule?
We are able to send from a proxy address in our organisation using an SMTP tool but MFA is interfering. We want to be able to apply MFA to the primary user mailbox but exclude MFA when they are sending mail from the proxy address.
Any ideas?
Unfortunately this did not work for me, Skype for Business still did not login like I expected. It did break my Relying Trust Authentication Rule to a point where it can’t be managed using the AD FS management console. Also by using the script above all current AdditionalAuthenticationRules will be deleted.
Reverted back to default using: Set-AdfsRelyingPartyTrust –TargetRelyingParty $rp –AdditionalAuthenticationRules ”
I still get “We can’t connect to the server to sign you in. Please ask your admin to check the issuance authorization rule in the active directory.”. When I disable MFA on ADFS, everything works fine. Any idea’s ?
I tried the above command and it is working fine with SfB client whatever on desktop or mobile devices.
I tried to sign in with Polycom VVX 410 but I couldn’t login as expected because the client user agent is different, can you help me and tell me how can I get the correct client user agent to it.
PS: I tried to add Polycom and OCPhone but no to avail.
we can’t enabled modern auth yet. we have ADFS with internal IP restrictions; but with claims to support mobile devices. Skype for Business ios Client can connect to on-prem lync ok – but S4B clients connection to 365 for EWS to support calendar sync stops. can the claim rule be adjusted for this?
Can you give an example how to exclude mail/skype from Windows/Android/IOS phones as the native Phone Apps don’t support 2FA from on-premise 2FA. (Reference: https://blog.kloud.com.au/2016/06/03/azure-multi-factor-authentication-mfa-cheat-sheet/) And with ADFS and on-premise Microsoft Autheticator Server, app passwords are not available….
We have users in Skype for business online ( with modern auth enabled ) and Office 365 MFA enabled. We have ADFS server which handle authentication process.
By entering that rule / code above in ADFS i will exclude Skype clients from MFA ?
Will this work as well on mobile clients ( ios , android ) ?
Isn’t there typo error in rule – “authenticationmetho” ?
Thank in advance
How does this change affect address book and calendar integration with Outlook?