cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2182
Views
0
Helpful
5
Replies

ADFS MFA Duo POP3

akertis227
Level 1
Level 1

Is it possible to create a claims rule to allow POP3 connections to bypass MFA? This is our main remaining issue with Duo in our testing. We have a few POP3 accounts used for our ticket systems.

5 Replies 5

DuoKristina
Cisco Employee
Cisco Employee

According to this KB article the X-MS-Client-Application header for POP in Exchange Online is Microsoft.Exchange.Pop. You could use that in an additional authentication rule for your ADFS relying party to exclude that from MFA. Examples of that are found here.

Duo, not DUO.

Thanks for the reply. Would I add an additional authentication rule to the Office 365 relying party? I’m still not clear on how to create this rule. Would it be similar to the active sync rules for excluding MFA?

I tried adding this authentication rule.

NOT exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application”, Value == “Microsoft.Exchange.Pop”])
=> issue(Type = “http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticatonmethod”, Value = “http://schemas
.microsoft.com/claims/multipleauthn”);

I still can’t get POP accounts to bypass MFA. I also tried restarting ADFS.

Update: I think this is working now.

akertis227
Level 1
Level 1

I’m not sure if I did something incorrect but I had to remove this rule because it actually was letting everything bypass MFA.

Kelly_O_Keefe
Level 1
Level 1

If you have net solved this yet, try out Microsoft.Exchange.PopImap.

https://technet.microsoft.com/en-us/library/hh526961(v=ws.10).aspx

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links