ADFS Bypass MFA for Outlook Mobile Clients

Gary 1 Reputation point
2022-12-01T15:25:16.083+00:00

We have some users using a basic auth app for email using ActiveSync - they current use ADFS to logon and there is no MFA for them as they dont support modern auth. All fine so far.

We want to migrate them to Outlook Mobile (android mainly but some iOS) but we dont want them prompted for MFA (well not yet anyway). MFA is enabled for most office 365 services at the moment.

What can i add to my claim rule (or other areas in MFA) to allow Outlook Mobile users (but not other outlook users) to bypass MFA.

We dont want the user to be bypassed, just the outlook mobile app. or if thats not possible just the mobile phone.

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,275 questions
Outlook Management
Outlook Management
Outlook: A family of Microsoft email and calendar products.Management: The act or process of organizing, handling, directing or controlling something.
5,318 questions
{count} votes

4 answers

Sort by: Most helpful
  1. ChristyZhang-MSFT 24,166 Reputation points Microsoft Vendor
    2022-12-02T05:14:03.523+00:00

    Hi @GaryKane-8672 ,

    Welcome to our forum!

    As i know, MFA can only be enabled or disabled for accounts, but not enabled for devices. I'm afraid that your requirement cannot be achieved. More information: Enable or disable modern authentication for Outlook in Exchange Online.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. Gary 1 Reputation point
    2022-12-06T11:27:10.35+00:00

    I dont think your answer is right, you can have claims rules bypass MFA for various application or device based attributes.

    0 comments No comments

  3. Michael Durkan 12,216 Reputation points MVP
    2022-12-06T11:35:58.97+00:00

    Hi @GaryKane-8672

    if you use Security Defaults in your tenant, all users will be prompted for MFA.

    However, if using Azure AD Premium P1/P2, you can use Conditional Access policies to bypass MFA for certain platforms, apps or devices if required.

    267729-image.png

    Hope this helps,

    Thanks

    Michael Durkan

    • If the reply was helpful please upvote and/or accept as answer as this helps others in the community with similar questions. Thanks!
    0 comments No comments

  4. Gary 1 Reputation point
    2022-12-07T12:37:54.093+00:00

    This is for on-prem MFA via on-prem ADFS not azure based so I don't think that would work?

    Basically we want this: https://newsignature.com/articles/bypassing-multi-factor-authentication-using-ad-fs-claims-rule/

    But instead of activesync it would be for whatever protocol Outlook Mobile uses (which i dont think is activesync anymore).

    Thanks

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.