none
ActiveSync not working with O365 when using ADFS and 2FA RRS feed

  • Question

  • Hi,

    We are using 0365 for all our emails and want to implement 2FA with ADFS. Currently, email access via Outlook, Webmail or on our mobile devices using the native mail app works fine.

    When I implement 0365 with ADFS, I enable modern authentication on Exchange Online and then change 0365 from managed to federated to our ADFS server.

    When I test accessing email via Webmail (outlook.office365.com), it redirects to our ADFS server and works fine. Accessing email via Outlook client works fine as well, however, accessing emails on our mobile devices using the native mail apps not longer work.

    I read that native mail apps will not function once 2FA is enabled unless an ADFS claim rule is in place to exclude mobile devices from 2FA.

    I have tried implementating the claim rules under Issuance Transform Rules below however receive the following error in Event Viewer

    CLAIM RULES

    'NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x­ms­client­appli cation", Value == "Microsoft.Exchange.ActiveSync"]) && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x­ms­client­appli cation", Value == "Microsoft.Exchange.AutoDiscover"]) =>issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod ", Value = "http://schemas.microsoft.com/claims/multipleauthn");

    ERROR

    Additional Data 
    Instance ID: 51555bf3-b137-4e5d-8b60-ed1f0ee91770 
    Relying party: urn:federation:MicrosoftOnline 
    Exception details: 
    Microsoft.IdentityServer.Service.IssuancePipeline.CallerAuthorizationException: MSIS5007: The caller authorization failed for caller identity domain\365User1 for relying party trust urn:federation:MicrosoftOnline.
       at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)
       at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult.End(IAsyncResult ar)
       at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.EndProcessCore(IAsyncResult ar, String requestAction, String responseAction, String trustNamespace) 
    User Action 
    Use the AD FS Management snap-in to ensure that the caller is authorized to request a token for the relying party.

    Has anyone experienced this problem and have a resolution to this? 

    Thursday, June 8, 2017 2:17 AM

All replies

  • Since your question is regarding Exchange Online security configuration, moderators please help move it to the correct forum.

    Btw, try change the latter part of your claim rule to the following and see if it helps:

    issue(Type = "http://schemas.microsoft.com/claims/authnmethodsreferences", Value = "http://schemas.microsoft.com/claims/multipleauthn"); 

    and seems the first part of claim rule has a few missing hyphens too:

    NOT exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application”, Value == “Microsoft.Exchange.Autodiscover“])
    
    
    && NOT exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application”, Value == “Microsoft.Exchange.ActiveSync“])
    
    

    • Edited by cheong00 Thursday, June 8, 2017 3:18 AM
    Thursday, June 8, 2017 3:03 AM