Need help with ADFS 4 Access Control Policy and mobile apps

cbryan2 · ‎04-22-2019

I’m running ADFS 4 on Server 2016. Every time I enable MFA on the M$ O365 relying party trust using an access control policy, I get calls from users who can’t use the native IOS and Android mail clients. I know there are some custom rules that DUO makes available using PowerShell, but they still aren’t working properly for us. Can someone lend insight on how to properly craft an access control policy to permit everyone and require MFA unless coming from a native Android or IOS mail client (i.e. basic auth)?

PatrickKnight · ‎04-23-2019

Hey @cbryan, are you referencing the PowerShell commands from here, https://help.duo.com/s/article/3174 , and the Example custom rule to globally disable 2FA on ActiveSync and Autodiscover endpoints while requiring 2FA for all other connection types?

cbryan2 · ‎04-23-2019

Yes, but those appear to be more geared toward ADFS 3. With ADFS 4 and the ability to create access control policies, I’d prefer to go that route if possible.

PatrickKnight · ‎04-23-2019

Those command are suitable for ADFS4 as well, and tend to allow for more flexibility in over the GUI constraints of the access control policies.

cbryan2 · ‎04-23-2019

So, you do not recommend using the GUI to configure these rules, such as the rule to only require MFA for O365 browser based requests? I’m afraid if I run the PS command, a co-worker may come in and not see that a custom rule was applied because M$ does not display anything in the GUI to alert the user that a rule has been applied.