What is Multi-Factor Authentication?
Multi-factor authentication, or MFA is quickly becoming a widely-adopted option for advanced identity management and security. Multi-factor authentication (MFA) is a method of authentication that requires the use of more than one verification method and adds a critical second layer of security to user sign-ins and transactions. It works by requiring any two or more of the following verification methods:
- Something you know (typically a password)
- Something you have (a trusted device that is not easily duplicated, like a phone)
- Something you are (biometrics)
Microsoft has incorporated this security into several applications, such as Office 365, Skype for Business and SharePoint Online to help Enterprises secure their Corporate data resources. At present, Microsoft offers two version of MFA, a cloud-based MFA solution (either exclusive to Office 365 or available via Azure AD Enterprise Mobility Suite), or an on-premises MFA server.
MFA is Great – When it’s Available
More and more applications are supporting MFA as an authentication mechanism. Microsoft Office 2016 supports modern authentication, but Office 2013 requires a client registry key to be deployed to each workstation to enable this feature. Older Office clients do not support modern authentication.
For applications that don’t yet (or won’t) support MFA, Microsoft cloud-based MFA solutions allow the use of “application passwords” that can be generated by the end user within the MFA Portal. These passwords can then be entered into the non-MFA-capable application and used in-lieu of the user’s Active Directory password. These app passwords will bypass the MFA requirement and allow application access.
While application passwords are generally very secure and are automatically generated, they can be cumbersome for users to manage. App passwords cannot be reset; they can only be deleted and recreated. They are also very lengthy which leads to them being entered incorrectly in instances where a copy and paste is not available. They’re also self-service, which relies on the technical ability of the user to know how to generate and use these passwords.
While they are the preferred method of bypassing MFA, for many enterprise IT administrators, app passwords are viewed as a hassle for their user community.
Not Even an Option
App passwords are only available with the cloud-based MFA solutions (Office 365 and Azure AD MFA). The on-premises MFA server does not provide this functionality.
AD FS to the Rescue!
Many enterprises, especially those that have extended their datacenter into the cloud, have already implemented Active Directory Federation Services (AD FS) into their environment. For those that have AD FS, it provides a way to bypass MFA for those applications that do not support MFA without the use of app passwords. An additional claims rule for the appropriate Relying Party Trust will allow clients to authenticate via Active Directory but skip MFA.
The following PowerShell code will bypass MFA for Exchange Online Autodiscover and ActiveSync services:
$rp = Get-AdfsRelyingPartyTrust –Name “Microsoft Office 365 Identity Platform”
Set-AdfsRelyingPartyTrust –TargetRelyingParty $rp –AdditionalAuthenticationRules ‘exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy”]) && NOT exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application”, Value==”Microsoft.Exchange.Autodiscover”]) && NOT exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application”, Value==”Microsoft.Exchange.ActiveSync”]) => issue (Type = “http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod”, Value = “http://schemas.microsoft.com/claims/multipleauthn”);’
NOTE: The following example bypasses MFA for Exchange Online Autodiscover and ActiveSync services. Consult your specific application provider to determine if a claims rule will bypass MFA.