VMware Workspace ONE Community
RonSochacki
Contributor
Contributor
‎05-24-2017 06:56 AM
Jump to solution

O365 MFA and ADFS

We are currently moving to O365 using ADFS with modern auth and Multi Factor. The Exchange team is trying to figure out how to create a claims based rule to exempt active sync traffic from having to use MFA since the native iOS client will just fail when prompted for MFA. I am told they need an IP range to create that claims based rule. So right now our only option is to use a SEG so we have a defined IP for that claims based rule. Has anyone else implemented O365/ADFS/MFA  WITHOUT using a SEG?
Labels (1)
Labels
1 Solution

Accepted Solutions
BethC
Hot Shot
Hot Shot
‎05-24-2017 07:12 AM
Jump to solution

Currently, MFA is not supported (or certs) for O365. You have 2 options, ACC with PowerShell or SEG with ADFS. I am about to switch from ACC with PowerShell to SEG with ADFS myself and posted on the forums yesterday hoping to gain some insight into any challenges other may have faced with the implementation.


View solution in original post

0 Kudos
13 Replies
BethC
Hot Shot
Hot Shot
‎05-24-2017 07:12 AM
Jump to solution

Currently, MFA is not supported (or certs) for O365. You have 2 options, ACC with PowerShell or SEG with ADFS. I am about to switch from ACC with PowerShell to SEG with ADFS myself and posted on the forums yesterday hoping to gain some insight into any challenges other may have faced with the implementation.


0 Kudos
LukeDC
Expert
Expert
‎05-24-2017 07:14 AM
Jump to solution

To use the native mail app with MFA on, users need to generate app passwords. Which is a royal PIA.
0 Kudos
RonSochacki
Contributor
Contributor
‎05-24-2017 11:15 AM
Jump to solution

Looks like we are unfortunately going to have to use SEGs. We are thinking 2 SEGs in each of our 2 datacenters, load balanced locally at the DC and at the edge. What I know for sure is we are not going to cluster the SEGs due to the issues with clustering.

We did go back to Microsoft about certs, to confirm they are not supported. Still waiting to hear back. I believe I read somewhere in these forums that certs are supported in O365 now. I'm not sure if that gets us around using a SEG though.
0 Kudos
BrandonOKC
Enthusiast
Enthusiast
‎09-27-2017 02:53 PM
Jump to solution

Beth C.,
      I am curious on your outcome when you switched to SEG with ADFS.  We are SEG basic auth with On-Prem Exchange, but migrating to O365 in the next month.  MS has setup AD Connect the new AD connect tool to sync On-Prem AD with Azure AD in the cloud.  MS is requiring that we enable MFA authenticatin which will break mail access for all our Native IOS users with how our SEG is configured to use Basic Auth. 

Ron S.,
       What did you end up doing with your SEG configuration to support Native mail access of Office 365 IOS users?

0 Kudos
BethC
Hot Shot
Hot Shot
‎09-28-2017 04:44 AM
Jump to solution

0 Kudos
RonSochacki
Contributor
Contributor
‎09-28-2017 05:26 AM
Jump to solution

For security purposes we use MultiFactor Auth. and the mobile devices cannot handle that, so we had to use a SEG. In our ADFS claims rule we allow traffic from the SEG to pass through, since we now know all Active Sync traffic will be coming from our SEG IP's.
0 Kudos
BethC
Hot Shot
Hot Shot
‎09-28-2017 06:27 AM
Jump to solution

Sorry... That wasn't the complete story. Hadn't had my coffee yet so I wasn't awake.

No SEG, had to use ACC with PowerShell instead with CBA. We also decided to switch to WS1 with vIDM during the migration process because moving the BYOD to WS1 was going to be inevitable.
0 Kudos
BrandonOKC
Enthusiast
Enthusiast
‎09-28-2017 11:41 AM
Jump to solution

Ron,
Are you using ADA connect service and is that service running on-prem or in Azure cloud?


Beth,
How did you transition users off SEG config to the new Powershell MEM config? Assign profile via smartgroup tied to AD group or did you use some other method, to remove old SEG profile and install new MEM profile?


I assume both of you are running in Hybrid with CAS redirecting to remote mailbox in Azure cloud and not running all Exchange services in the cloud?

0 Kudos
RonSochacki
Contributor
Contributor
‎11-06-2017 08:54 AM
Jump to solution

Looks like iOS 11 can use modern auth now. Anyone have ideas on the best way to secure email with O365 now?
0 Kudos
pmeuser
Contributor
Contributor
‎03-04-2018 08:07 AM
Jump to solution

Just have a look into this:
1. Activate CBA to Exchange online (cert deployment through AirWatch)
2. Block ActiveSync without CBA at ADFS level
Works like a charme and users/security will love it.
0 Kudos
pmeuser
Contributor
Contributor
‎03-04-2018 08:10 AM
Jump to solution

MFA in this config:
1. You need to know your device passcode
2. You need to have a managed cert deployed to the device
0 Kudos
RCartwright
Contributor
Contributor
‎06-01-2018 12:09 PM
Jump to solution

We are looking to do something very similar, but have not been able to get it to work. We want to apply MFA to EAS, but have a claims based rule to ' exempt'  users coming from our SEG. Our rules are like if from IP (range from SEG's) then allow Basic auth. When the rule get's applied, the user is prompted for a password over and over again and it's never accepted. It's like the SEG is the IP's that are in the message headers of sent emails, but the authentication is coming from the device IP which sends it ADFS.
Our use case is to all AirWatch enrolled iOS devices to continue to use the native mail app and not be challenged with MFA, but the same user on a personal device would be required to use the Outlook app or similar that supports MFA to have to use it. Any advice on proper claims rules?
0 Kudos
bethereornot1
Contributor
Contributor
‎07-17-2018 05:30 AM
Jump to solution

Randy? Are you using SEG V2? Was you able to use MFA?
0 Kudos