Netflex Blog

Disable Multi Factor Authentication on ADFS for Skype

At a customer site we have ADFS 4.0 (Windows 2016 server) setup. The customer uses SMS passcode for MFA, so they get an SMS as an extra factor when logging into Office 365 applications and VMware Horizon View.

But Skype For Business does not support MFA, when you use MFA from Azure you can create Application Passwords, but when using a 3rd party MFA solution connected to you ADFS server, this is not possible.

To make sure there is no MFA needed when logging on to Skype, we setup a new Access Control Policy in the ADFS Management Console:

The new access control policy needs to have the following statements:

Permit Users
  from internet network
  and require multi-factor authentication
except
  with Client User Agent claim regex matches (?i)Lync|"(?i)ACOMO|(?i)skype in 
the request

Permit Users
  from internet network
  and with Client User Agent claim regex matches (?i)Lync|"(?i)ACOMO|(?i)skype in 
the request

Permit Users
  from intranet network

The first “Permit users” makes sure everyone is asked for MFA Authentication except Skype users

The second “Permit Users” makes sure that users that login with a Skype Client are able to login

The third “Permit Users” makes sure that internal users can just login without using MFA.

 

 

Scroll to Top