Link to home
Start Free TrialLog in
Avatar of ntr2def
ntr2def

asked on

ADFS Claims Rules Help for MFA

Currently I'm working on building a lab however I noticed when im external and hit login.microsoftonline.com i get no MFA prompts for:

Set-AdfsRelyingPartyTrust -TargetRelyingParty $rp -additionalauthenticationrules 'exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) && exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", value == "s-1-5-21-13664088-3370380461-338043368-14102"]) && exists([Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", value == "true"]) => issue(type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", value = "http://schemas.microsoft.com/claims/multipleauthn");'

Notice True is Bolded

But when i change it to false:

Set-AdfsRelyingPartyTrust -TargetRelyingParty $rp -additionalauthenticationrules 'exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) && exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", value == "s-1-5-21-13664088-3370380461-338043368-14102"]) && exists([Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", value == "false"]) => issue(type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", value = "http://schemas.microsoft.com/claims/multipleauthn");'

Then it prompts me for MFA.

ALso i want to be able to exclude users using ActiveSync. So if an ActiveSync user comes through then do not prompt for MFA
SOLUTION
Avatar of Vasil Michev (MVP)
Vasil Michev (MVP)
Flag of Bulgaria image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of ntr2def
ntr2def

ASKER

so
c2:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms
                                       -endpoint-absolute-path", Value =~ "(/adfs/ls)|(/adfs/oauth2)"] forces mfa to the passive end point?

Open in new window


Also is there a way to do the same thing but in a file?
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
                                       Value == "s-1-5-21-13664088-3370380461-338043368-14102"]
                                        && c1:[Type ==
                                       "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value ==
                                       "false"]
                                        && c2:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms
                                       -endpoint-absolute-path", Value =~ "(/adfs/ls)|(/adfs/oauth2)"]
                                        => issue(Type =
                                       "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod",
                                       Value = "http://schemas.microsoft.com/claims/multipleauthn");

Open in new window



I uploaded the file. so when i import the file can i
testclaims.txt
Think you kinda pressed the Post button too fast, I don't see the ending of your post :)
Avatar of ntr2def

ASKER

I updated it
Avatar of ntr2def

ASKER

I've uploaded the txt file for your review
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of ntr2def

ASKER

so activesync and autodiscover will not require autodiscover correct?
Yes, no MFA for those requests, as they will be hitting a different endpoint.
Avatar of ntr2def

ASKER

Also my other question is for security reason i would like to explicitly call out autodiscover, activesync to not require MFA

exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application",alue=="Microsoft.Exchange.Autodiscover"]) && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value=="Microsoft.Exchange.ActiveSync"]) => issue(Type =                                "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");

Open in new window

As explained above, you DO NOT need this rule. Everything Exchange related will NOT require MFA.
Avatar of ntr2def

ASKER

Thank you Vasil, For education purposes will any other application come through without MFA? for all intents and purposes that would not be a good thing.
Only the ones that are not using the passive endpoint. As MFA (or any 2FA method for that matter) requires a user input via additional components, usually surfaced via a browser control, such apps will not be able to connect anyway. Now, if you have switched to using ADAL, things change a bit, but that's another story.
Avatar of ntr2def

ASKER

So we are going to use ADAL. So then would my rules change again?
ADAL is still in preview and has issues with for example Lync. When and if you decide to switch to ADAL, you will have to rework your claims rules as all clients will use the Passive endpoint. Check for example here: http://social.technet.microsoft.com/wiki/contents/articles/30253.office-2013-and-office-365-proplus-modern-authentication-and-client-access-filtering-policies-things-to-know-before-onboarding.aspx