Continuing down the road for implementing ADFS Multi-factor Authentication (MFA) using PKI I have come across a few issues and a major show stopper when implementing this for Office 365 services. I wanted to share my experience so that this you can avoid the same pain as I have been through.
To clarify this I have been using ADFS 3.0 with certificate MFA and not Azure MFA.
You can read my other blog post about how to set this up here: https://blog.valeconsulting.co.uk/2015/05/12/multi-factor-authentication-mfa-using-adfs-3-0-and-certificates/
However, be careful. While this works for passive authentication applications such as Outlook Web Access, Browser access and Outlook Anywhere you will find issues with applications that use active authentication. These applications are Lync mobile app and active sync. These apps and services are not passive authentication capable in the context of Office 365.
To understand what passive and active authentication is I will include a brief explanation
Passive Authentication is where the application redirects the user from the application login page to the ADFS web page to perform authentication. Once you have authenticated with ADFS you are redirected back from ADFS to the application you want to use.
Active Authentication is where you enter your login credentials directly in the application and then the application requests authentication from your ADFS servers on your behalf using the credentials you entered in the app login page. This way ADFS login is transparent to the user.
It is the active authentication process that is the issue when trying to use ADFS MFA.
So why is this a show stopper for Office 365? The problem arises when you try and use mobile devices to access Office 365 content. You are able to use the browser to access the majority of Office 365 services but some require applications installed on the device. Specifically Active sync and Lync Mobile.
With active sync it is not possible to use certificate based MFA with this service. You can get around this by modifying the ADFS authentication rule that will bypass MFA if Active sync is present in the claim. I am not going to disclose the code for this because I believe this whole solution is flawed and not fit for enterprise purposes.
The main issue is the Lync app. This performs active authentication by default. If you have Lync on premise then you can configure Lync to allow passive authentication and MFA in this instance will work. However, If you are using Lync Online then it is not possible to configure the Online tenant to support passive authentication. Deeper into this it is also not possible to achieve this with a hybrid setup either. It also appears that you cannot do claim rules to filter out Lync services to Lync online, not that I have found yet anyway.
The same problem is present when trying to use the Outlook Web App from the app stores. It appears that this also uses active authentication.
So this post is more of a warning and food for thought than a solution. If you have a way around this I would be happy to hear your thoughts? But for now I am stumped and believe if you want MFA for Office 365 then the answer here is use Azure MFA!