Thursday 30 November 2017

Configuring ADFS to bypass Azure Multi-factor Authentication from inside the Intranet

Multi-factor Authentication is becoming common place for all enterprise applications, especially those applications running in the cloud. Office 365 is no exception, out the box even the most basic Office 365 SKU’s provide some level of MFA. Although MFA is great for increasing the security posture of your Office 365 tenant, it does inherently annoy users.

A common requirement for enterprise organisations deploying MFA with Office 365, is the ability for MFA to be bypassed if a user is connecting from a domain-joined, Intranet device.

It is possible to achieve this using the full Azure Multi-Factor Authentication product from Azure AD, the feature is called Trusted IP’s. As you will see from the table below, the entry-level MFA for Office 365 does not support Trusted IP’s. The full Azure Multi-Factor Authentication is part of EMS E3/5 and is bundled with Azure AD Premium P1/P2.

If you are using cloud-managed identities (e.g not using ADFS) you can enable this straight out the box if you are using Azure Multi-Factor Authentication. However, many enterprise organisations have ADFS in the mix to provide SSO to users. If you have federated identities (e.g using ADFS) enabling Trusted IP’s straight from the portal alone does not bypass the MFA prompt. Users will still be asked to enter their 2nd factor or “something they have”. ADFS must be configured to emits the multipleauthn claim when a user performs two-step verification.

The following Microsoft guide explains how to configure the changes required on the Office 365 Relaying Party Trust

Once completed your Office 365 Relaying Party Trust > Edit Claim Issuance Policy for Microsoft Office 365 Identity Platform should look similar to this.

Restart the Active Directory Federation Services service once you have made the changes.

Browse to then click on Active Directory.

Click on the Azure Active Directory instance which is linked to your Office 365 tenant and click Configure.

Under the Multi-Factor Authentication subheading click Manage Service Settings.

Under Trusted IPs enable Skip multi-factor authentication for requests from federated users on my Intranet.

You should populate this field with all your Public IP’s which are used by clients for Internet access. In my example, I’ve put my testing server address with CIDR mask of /32 which locks it down to a single address.

Click Apply.