Is it possible to create a claims rule to allow POP3 connections to bypass MFA? This is our main remaining issue with Duo in our testing. We have a few POP3 accounts used for our ticket systems.


According to this KB article the X-MS-Client-Application header for POP in Exchange Online is Microsoft.Exchange.Pop. You could use that in an additional authentication rule for your ADFS relying party to exclude that from MFA. Examples of that are found here.


Thanks for the reply. Would I add an additional authentication rule to the Office 365 relying party? I’m still not clear on how to create this rule. Would it be similar to the active sync rules for excluding MFA?


I tried adding this authentication rule.

NOT exists([Type == “”, Value == “Microsoft.Exchange.Pop”])
=> issue(Type = “”, Value = “http://schemas”);

I still can’t get POP accounts to bypass MFA. I also tried restarting ADFS.

Update: I think this is working now.


I’m not sure if I did something incorrect but I had to remove this rule because it actually was letting everything bypass MFA.


If you have net solved this yet, try out Microsoft.Exchange.PopImap.