If you have a Service account that you want to exclude from 2FA when working with the Office 365 SAML integration you can exclude them using Groups & Policy.
To complete the exclusion you will need to create a unique policy for the Office 365 SAML App.
Steps to create a Policy
First we need to create two Security Groups. If you are already using Directory Sync than you can use existing AD Security Groups. Then we can create the policy. Once we have the policy we can apply the policy to the application.
Step 1 - Create Security Groups
If you are using existing AD Security Groups proceed to Step 2.
- Log into your Passly Tenant https://(your company).my.Passly.com
- Select Directory Manager.
- Select Groups.
- Select the Blue plus sign in the bottom right corner.
- Set the Name of the Group.
Example: Office 365 Users. - Select Add Group.
- Select the Group by clicking it's name.
Add all Office 365 Users to this Group by selecting the Blue plus sign in the bottom right corner. - Select Add Users.
- Select Directory Manager.
- Select Groups.
- Select the Blue plus sign in the bottom right corner.
- Set the Name of the Group.
Example: Office 365 Exclusion. - Select Add Group.
- Select the Group by clicking it's name.
Add all Office 365 exclusion accounts (service accounts) to this Group by selecting the Blue plus sign in the bottom right corner. - Select Add Users.
Once we we have the Groups for inclusion and exclusion of 2FA we can build a unique policy to be applied in the SSO Manager for Office 365.
Step 2- Steps to create a Policy
- Log into your Passly Tenant https://(your company).my.passly.com
- Select Policy Manager.
- Select the Blue plus sign in the bottom right corner.
- Set the Policy name.
Example: Office 365 Policy. - Select the Policy Element. Select the Office 365 Exclusion group.
- Set the then action.
- Select Add Additional Rule.
- Select the Policy Element. Use the Office 365 Users Group.
- Set the then action.
10. Set the Else action
Step 3 - Changing the policy for the SSO application in the SSO Manager
- Log into your Passly Tenant https://(your company).my.Passly.com
- Select SSO Manager -> Application Library
- Select the Office 365 App.
- Select Application Configuration.
- Choose the new policy from the Authentication Policy drop down.
- Select Save Changes.
At this point all users in the Office 365 user group should be prompted for 2FA when accessing Office 365 via SSO or thick clients.
Tip: You can also add elements to the second rule to include trusting devices. This would allow you to not require 2FA on thick clients on every login.