Avatar of ntr2def
ntr2def
 asked on

ADFS Claims Rules Help for MFA

Currently I'm working on building a lab however I noticed when im external and hit login.microsoftonline.com i get no MFA prompts for:

Set-AdfsRelyingPartyTrust -TargetRelyingParty $rp -additionalauthenticationrules 'exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) && exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", value == "s-1-5-21-13664088-3370380461-338043368-14102"]) && exists([Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", value == "true"]) => issue(type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", value = "http://schemas.microsoft.com/claims/multipleauthn");'

Notice True is Bolded

But when i change it to false:

Set-AdfsRelyingPartyTrust -TargetRelyingParty $rp -additionalauthenticationrules 'exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) && exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", value == "s-1-5-21-13664088-3370380461-338043368-14102"]) && exists([Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", value == "false"]) => issue(type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", value = "http://schemas.microsoft.com/claims/multipleauthn");'

Then it prompts me for MFA.

ALso i want to be able to exclude users using ActiveSync. So if an ActiveSync user comes through then do not prompt for MFA
Active DirectoryWindows Server 2012AzureMicrosoft 365Cloud Computing

Avatar of undefined
Last Comment
Vasil Michev (MVP)

8/22/2022 - Mon
SOLUTION
Vasil Michev (MVP)

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
ntr2def

ASKER
so
c2:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms
                                       -endpoint-absolute-path", Value =~ "(/adfs/ls)|(/adfs/oauth2)"] forces mfa to the passive end point?

Open in new window


Also is there a way to do the same thing but in a file?
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
                                       Value == "s-1-5-21-13664088-3370380461-338043368-14102"]
                                        && c1:[Type ==
                                       "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value ==
                                       "false"]
                                        && c2:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms
                                       -endpoint-absolute-path", Value =~ "(/adfs/ls)|(/adfs/oauth2)"]
                                        => issue(Type =
                                       "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod",
                                       Value = "http://schemas.microsoft.com/claims/multipleauthn");

Open in new window



I uploaded the file. so when i import the file can i
testclaims.txt
Vasil Michev (MVP)

Think you kinda pressed the Post button too fast, I don't see the ending of your post :)
ntr2def

ASKER
I updated it
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
ntr2def

ASKER
I've uploaded the txt file for your review
ASKER CERTIFIED SOLUTION
Vasil Michev (MVP)

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
ntr2def

ASKER
so activesync and autodiscover will not require autodiscover correct?
Vasil Michev (MVP)

Yes, no MFA for those requests, as they will be hitting a different endpoint.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
ntr2def

ASKER
Also my other question is for security reason i would like to explicitly call out autodiscover, activesync to not require MFA

exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application",alue=="Microsoft.Exchange.Autodiscover"]) && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value=="Microsoft.Exchange.ActiveSync"]) => issue(Type =                                "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");

Open in new window

Vasil Michev (MVP)

As explained above, you DO NOT need this rule. Everything Exchange related will NOT require MFA.
ntr2def

ASKER
Thank you Vasil, For education purposes will any other application come through without MFA? for all intents and purposes that would not be a good thing.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Vasil Michev (MVP)

Only the ones that are not using the passive endpoint. As MFA (or any 2FA method for that matter) requires a user input via additional components, usually surfaced via a browser control, such apps will not be able to connect anyway. Now, if you have switched to using ADAL, things change a bit, but that's another story.
ntr2def

ASKER
So we are going to use ADAL. So then would my rules change again?
Vasil Michev (MVP)

ADAL is still in preview and has issues with for example Lync. When and if you decide to switch to ADAL, you will have to rework your claims rules as all clients will use the Passive endpoint. Check for example here: http://social.technet.microsoft.com/wiki/contents/articles/30253.office-2013-and-office-365-proplus-modern-authentication-and-client-access-filtering-policies-things-to-know-before-onboarding.aspx
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.