How to Bypass MFA for Autodiscover and Activesync in Windows Server 2016 Using Access Control Policies

ADFS, Client Access, MFA, Office365

Had trouble finding any info on this besides using the version of ADFS that comes with 2012 R2, configuring the exceptions through powershell. In ADFS in Windows Server 2016, you can know utilize Access Control Policies to configure rules around how users authenticate to ADFS. In our setup, we have a classic example where when client’s are in the office, they should automatically login using Windows Integrated Authentication (essentially that they are not prompted for credentials). When the users are not on the corporate network, they should be forced to utilize Multi-Factor Authentication (MFA for short).

Note there are some requirements for this setup.

  • You need to have ADFS deployed utilizing an ADFS proxy server to the internet (or some other proxy that can add the required headers to the internet based requests)
  • If your using multi-factor authentication it is assumed you are using Modern Authentication on your Outlook Clients

If we open up ADFS MMC, navigate to Access Control Policies:



There are several pre-canned policies on the left, but we are going to create our own by clicking Add Access Control Policy in the upper right hand.

Give the policy a meaningful name and description, and then build your policy as follows:




Note that it works similar to a firewall rule. We have the most restrictive policy at the top. Meaning if a user is a member of the AD Group DualAuth in this case, and they are logging in from outside the corporate network, they will be forced to use multi-factor authentication. The processing of rules for that user will stop. The Permit Users is required for ALL other users to be able to login without issue from the Internet, but also to allow ALL users to login using Windows Integrated Authentication from within the corporate network.

The initial problem with this policy is that not all applications have the ability to perform multi-factor authentication. The classic ones or Exchange Activesync and Exchange Autodiscover. So we need to exclude those from this processing.

If we select our initial rule block and click edit, we can select under the except tab, the with specific claims in the request checkbox.



Next, click on the link in the word specific. Select the claims radio button. Under claim type, change this to read client application -> contains -> Microsoft.Exchange.Autodiscover. Add another row and change the Claim Value to be Microsoft.Exchange.Activesync.



Hit okay, save your changes and your good to go!