ADFS/Multifactor - Need an adfs expert

We currently have ADFS enabled for Office 365 so we can have single sign on.  We also want to utilize multifactor in front of office 365 so we have the Microsoft MFA server stood up and configured.  There are two steps to get multifactor to work.  

1.)  Enable the user for multifactor on the ADFS server, from within the ADFS console

2.)  Enable the user on the MFA server

The issue is, when we enable someone for multifactor from within ADFS (Not from the MFA server), any MS application that does not support multfactor will break.  Outlook for instance will break and not work unless we enable ADAL which essentially puts multifactor in front of Outlook.  Activesync does  not suppport multfactor so users phones stop receiving email if we enable them for multifactor from within ADFS.  You can see in the ADFS server logs the same error anytime we enable a user for multifactor:

The Federation Service could not authorize token issuance for caller 'domain\365User1
'. The caller is not authorized to request a token for the relying party 'urn:federation:MicrosoftOnline'. See event 501 with the same Instance ID for caller identity. 

Additional Data 
Instance ID: 51555bf3-b137-4e5d-8b60-ed1f0ee91770 
Relying party: urn:federation:MicrosoftOnline 
Exception details: 
Microsoft.IdentityServer.Service.IssuancePipeline.CallerAuthorizationException: MSIS5007: The caller authorization failed for caller identity domain\365User1 for relying party trust urn:federation:MicrosoftOnline.
   at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)
   at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult.End(IAsyncResult ar)
   at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.EndProcessCore(IAsyncResult ar, String requestAction, String responseAction, String trustNamespace) 
User Action 
Use the AD FS Management snap-in to ensure that the caller is authorized to request a token for the relying party.

We really only care about multifactor in front of the office 365 web portal, which works great currently.  We dont care about outlook, activesync or lync but they all break once we enable MF for users.   Is there any way to set up an ADFS claims rule or other method of not enforcing multifactor for certain applications?

August 17th, 2015 7:54pm

Hi Rich,

Since Active Directory Federation Service is not an extension of Active Directory schema, you would get more professional support from ADFS experts in this forum below:

Claims based access platform (CBA), code-named Geneva Forum

http://social.msdn.microsoft.com/Forums/vstudio/en-US/home?forum=Geneva

Thank you for your understanding and support.

Best Regards,

Amy

Free Windows Admin Tool Kit Click here and download it now
August 19th, 2015 3:22am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics