09-26-2017 12:00 PM
Is it possible to create a claims rule to allow POP3 connections to bypass MFA? This is our main remaining issue with Duo in our testing. We have a few POP3 accounts used for our ticket systems.
09-27-2017 03:48 PM
According to this KB article the X-MS-Client-Application header for POP in Exchange Online is Microsoft.Exchange.Pop. You could use that in an additional authentication rule for your ADFS relying party to exclude that from MFA. Examples of that are found here.
09-28-2017 09:19 AM
Thanks for the reply. Would I add an additional authentication rule to the Office 365 relying party? I’m still not clear on how to create this rule. Would it be similar to the active sync rules for excluding MFA?
09-28-2017 12:04 PM
I tried adding this authentication rule.
NOT exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application”, Value == “Microsoft.Exchange.Pop”])
=> issue(Type = “http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticatonmethod”, Value = “http://schemas
.microsoft.com/claims/multipleauthn”);
I still can’t get POP accounts to bypass MFA. I also tried restarting ADFS.
Update: I think this is working now.
09-29-2017 08:11 AM
I’m not sure if I did something incorrect but I had to remove this rule because it actually was letting everything bypass MFA.
10-11-2017 03:59 PM
If you have net solved this yet, try out Microsoft.Exchange.PopImap.
https://technet.microsoft.com/en-us/library/hh526961(v=ws.10).aspx
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: