Bypass MFA for Apple DEP+Intune enrollment at on-prem ADFS 2016

Denys Dmytrenko 1 Reputation point
2020-03-27T10:09:06.873+00:00

Hello there,

Looking for an advise on how to best overcome the following limitation.
We're trying to enroll Mac devices with DEP enrollment and Intune. When binding the Mac to a user during install, it tries to log on and verify membership and licenses.
This is known issue: https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/17163317-mfa-doesn-t-work-with-apple-dep-with-intune (it's marked as release in progress since 2018 but it doesn't seem to have progressed ever since)
In our scenarion we have a trust between Office365\Azure and our on-prem ADFS 2016 (Farm in 4.0 mode)
So all authentications are forwarded from Intune to on-prem ADFS, where we enforce MFA (DUO). Now, since DEP with Intune doesn't support MFA (still!), we need a way to bypass MFA but only for auth requests coming from DEP\Intune enrollment.
Before this task, we had a following Access Control Policy for Azure\Office365 trust

  • Permit all, except from a security group with our active real-users (Group X)
  • Permit users from Group X and require MFA

What I gathered from failed auth attempts from DEP is that it uses Endpoint "/adfs/services/trust/2005/usernamemixed" so I tried to a few ways to bypass auth requests with this endpoint in claims but it seems I can't build the right rule.

So I have two questions:

  • Is there any other way you suggest to overcome the outlined issue?
  • How can I modify the original ACP rule to:
  • Permit all, except from a security group with our active real-users (Group X)
  • Permit users from Group X and require MFA
  • Bypass MFA for users from Group X if they have a specific claim in request (Endpoint Path equals "/adfs/services/trust/2005/usernamemixed")

Any help is much appreciated.

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,214 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Pierre Audonnet - MSFT 10,166 Reputation points Microsoft Employee
    2020-03-28T00:24:48.053+00:00

    Note that if you are using ADFS for your Azure AD integration only to be able to use DUO, you might be able to do without ADFS. You could use Azure AD Connect Seamless SSO and use the Azure AD/DUO integration.

    We can create such rule. It would use the "legacy" way to do it and not the current Access Control Policies. But it would affect other clients. Enterprise Active Sync can use the same endpoint, and so are other legacy applications. So by white-listing this scenario you might allow others.
    Ideally we would do everything is Azure AD in Conditional Access Policies. That is the recommended way. Anything else than this is really a gadget workaround with security risks.

    That said, in order to minimize the exposure as much as we can, we can try to fine tune the exclusion to a User Agent String, or other connection metadata. In order to do this, you will need to capture all the claims you get on one of this request and share it here. In order to have all the claims of your request in the eventlogs, you will need to enable the verbose audit. You will find the info here: https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging.