Managing Active Directory does not always have to be complicated. If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why
ADFS Claims Rules Help for MFA
Currently I'm working on building a lab however I noticed when im external and hit login.microsoftonline.com i get no MFA prompts for:
Set-AdfsRelyingPartyTrust -TargetRelyingParty $rp -additionalauthenticationr
Notice True is Bolded
But when i change it to false:
Set-AdfsRelyingPartyTrust -TargetRelyingParty $rp -additionalauthenticationr
Then it prompts me for MFA.
ALso i want to be able to exclude users using ActiveSync. So if an ActiveSync user comes through then do not prompt for MFA
Set-AdfsRelyingPartyTrust -TargetRelyingParty $rp -additionalauthenticationr
Notice True is Bolded
But when i change it to false:
Set-AdfsRelyingPartyTrust -TargetRelyingParty $rp -additionalauthenticationr
Then it prompts me for MFA.
ALso i want to be able to exclude users using ActiveSync. So if an ActiveSync user comes through then do not prompt for MFA
Asked:
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get this solution by purchasing an Individual license!
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
so
Also is there a way to do the same thing but in a file?
I uploaded the file. so when i import the file can i
testclaims.txt
c2:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms
-endpoint-absolute-path", Value =~ "(/adfs/ls)|(/adfs/oauth2)"] forces mfa to the passive end point?
Also is there a way to do the same thing but in a file?
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
Value == "s-1-5-21-13664088-3370380461-338043368-14102"]
&& c1:[Type ==
"http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value ==
"false"]
&& c2:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms
-endpoint-absolute-path", Value =~ "(/adfs/ls)|(/adfs/oauth2)"]
=> issue(Type =
"http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod",
Value = "http://schemas.microsoft.com/claims/multipleauthn");
I uploaded the file. so when i import the file can i
testclaims.txt
Seems OK. But you're missing the 'labels', which might result in error when processing the rule. Try it like this:
For the second rule, you don't need a specific permit rule. Everything is allowed by default. And since EWS will hit a different endpoint, MFA will not be enforced. You should be fine even without that rule.
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-21-13664088-3370380461-338043368-14102"] && c1:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"] && c2:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value =~ "(/adfs/ls)|(/adfs/oauth2)"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");
For the second rule, you don't need a specific permit rule. Everything is allowed by default. And since EWS will hit a different endpoint, MFA will not be enforced. You should be fine even without that rule.
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trial
Also my other question is for security reason i would like to explicitly call out autodiscover, activesync to not require MFA
exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application",alue=="Microsoft.Exchange.Autodiscover"]) && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value=="Microsoft.Exchange.ActiveSync"]) => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");
Thank you Vasil, For education purposes will any other application come through without MFA? for all intents and purposes that would not be a good thing.
Only the ones that are not using the passive endpoint. As MFA (or any 2FA method for that matter) requires a user input via additional components, usually surfaced via a browser control, such apps will not be able to connect anyway. Now, if you have switched to using ADAL, things change a bit, but that's another story.
ADAL is still in preview and has issues with for example Lync. When and if you decide to switch to ADAL, you will have to rework your claims rules as all clients will use the Passive endpoint. Check for example here: http://social.technet.microsoft.com/wiki/contents/articles/30253.office-2013-and-office-365-proplus-modern-authentication-and-client-access-filtering-policies-things-to-know-before-onboarding.aspx
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory
From novice to tech pro — start learning today.
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get this solution by purchasing an Individual license!
Start your 7-day free trial.
Try something like this:
Open in new window