Exchange Hybrid and Duo for ADFS

Protecting Applications forum Microsoft
#1

Hi,

we’re using Cisco Duo within our ADFS Farm (Windows 2019). We’re federating with O365 and requiring MFA for external Access. As long as a usermailbox is located on on-prem Exchange there’s no problem. If the user has a cloud mailbox Outlook keeps asking for password on profile/account generation. I’ve read through this artikel here: Knowledge Base | Duo Security but even if I configure the mentioned additional authentication rule " Example custom rule to globally disable 2FA on ActiveSync and Autodiscover endpoints while requiring 2FA for all other connection types" it won’t work. As soon as I disable MFA for external access the Outlook profile generation works as expected. Using Outlook 2013 or Outlook 2016 doesn’t make a difference.
Anyone here who has solved this?

Regards

#2

I’ve had this problem, too. I had to use this fix: Knowledge Base | Duo Security

Let us know if that resolves your issue. Good luck!

2 Likes
#3

Thanks, John, for sharing that answer here! @Deckard99 - please let us know if there is anything else we can help with. We appreciate you sharing your question in the community!

#4

Hi John, Hi Amy,

unfortunatly that did not help. Can anyone tell, if the O365 Tenant has modern authentication activated for that to work?

Regards

#5

Hi,

after taking some time for evaluating my environment regarding O365 and Duo an ADFS I think I found the culprit.

I had modified the Access Control Policy on the O365 Relying trust party which effectively prohibited the use of additional authentication rules. After cleaning up my mess, I was able to find a functional way to achive the desired goal.

I used the following aar
exists([Type == “http://schemas.microsoft.com/ws/2012/01/in■■■■■■■■■■■■■■■■■■■■”, Value == “false”])
&& NOT exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application”, Value =~ “Microsoft.Exchange.ActiveSync|Microsoft.Exchange.Autodiscover”])
=> issue(Type = “http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod”, Value = “http://schemas.microsoft.com/claims/multipleauthn”);
Taken from https://www.michev.info/Blog/Post/1393/ad-fs-and-mfa-configuring-multiple-additional-authentication-rules

Actually that is nearly identically to

https://help.duo.com/s/article/3174?language=en_US

Probably in this duo help article the “correct wording” should be additional authentication rules instead of advanced authentication rules.

If somebody tries to use the solution please consider the html formating, which will not help with adfs powershell. :wink: