We have ADFS 2012 set up. We have an adfs web proxy set up in the DMZ and of course our internal adfs server. We have an external ADFS DNS entry (adfs.domain.com) that points to the web proxy and an internal dns entry (adfs.domain.com) that points to the internal adfs server. We realize that all traffic coming into the webproxy will be tagged as external traffic.
We have a claims rule that says all web based traffic that is external, enforce multifactor. We want users who are external to get multfactor prompt when going to the office 365 portal.
Our issue is, we dont want to enforce multifactor authentication for users who go to the portal when they are on the corporate network. Even with the claims rule set up that says only enforce multifactor for external users, still users on the corporate network are getting prompted for multifactor authentication.
I'm assuming that when a user goes to the portal once ADFS is initiated, it will always look like its coming from external correct? Even though we have an internal DNS entry so techincally if a user goes to adfs.domain.com from a browser on a machine on our internal network they would be hitting the internal adfs server and not the web proxy.
Does that not work the same once adfs is initiated from the office 365 portal?
Rich