At a customer site we have ADFS 4.0 (Windows 2016 server) setup. The customer uses SMS passcode for MFA, so they get an SMS as an extra factor when logging into Office 365 applications and VMware Horizon View.
But Skype For Business does not support MFA, when you use MFA from Azure you can create Application Passwords, but when using a 3rd party MFA solution connected to you ADFS server, this is not possible.
To make sure there is no MFA needed when logging on to Skype, we setup a new Access Control Policy in the ADFS Management Console:
The new access control policy needs to have the following statements:
Permit Users from internet network and require multi-factor authentication except with Client User Agent claim regex matches (?i)Lync|"(?i)ACOMO|(?i)skype in the request Permit Users from internet network and with Client User Agent claim regex matches (?i)Lync|"(?i)ACOMO|(?i)skype in the request Permit Users from intranet network
The first “Permit users” makes sure everyone is asked for MFA Authentication except Skype users
The second “Permit Users” makes sure that users that login with a Skype Client are able to login
The third “Permit Users” makes sure that internal users can just login without using MFA.