We currently have ADFS enabled for Office 365 so we can have single sign on. We also want to utilize multifactor in front of office 365 so we have the Microsoft MFA server stood up and configured. There are two steps to get multifactor to work.
1.) Enable the user for multifactor on the ADFS server, from within the ADFS console
2.) Enable the user on the MFA server
The issue is, when we enable someone for multifactor from within ADFS (Not from the MFA server), any MS application that does not support multfactor will break. Outlook for instance will break and not work unless we enable ADAL which essentially puts multifactor in front of Outlook. Activesync does not suppport multfactor so users phones stop receiving email if we enable them for multifactor from within ADFS. You can see in the ADFS server logs the same error anytime we enable a user for multifactor:
The Federation Service could not authorize token issuance for caller 'domain\365User1
'. The caller is not authorized to request a token for the relying party 'urn:federation:MicrosoftOnline'. See event 501 with the same Instance ID for caller identity.
Additional Data
Instance ID: 51555bf3-b137-4e5d-8b60-ed1f0ee91770
Relying party: urn:federation:MicrosoftOnline
Exception details:
Microsoft.IdentityServer.Service.IssuancePipeline.CallerAuthorizationException: MSIS5007: The caller authorization failed for caller identity domain\365User1 for relying party trust urn:federation:MicrosoftOnline.
at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult.End(IAsyncResult ar)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.EndProcessCore(IAsyncResult ar, String requestAction, String responseAction, String trustNamespace)
User Action
Use the AD FS Management snap-in to ensure that the caller is authorized to request a token for the relying party.
We really only care about multifactor in front of the office 365 web portal, which works great currently. We dont care about outlook, activesync or lync but they all break once we enable MF for users. Is there any way to set up an ADFS claims rule or other method of not enforcing multifactor for certain applications?