Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!
ADFS Claims Rules Help for MFA
Currently I'm working on building a lab however I noticed when im external and hit login.microsoftonline.com i get no MFA prompts for:
Set-AdfsRelyingPartyTrust -TargetRelyingParty $rp -additionalauthenticationr
Notice True is Bolded
But when i change it to false:
Set-AdfsRelyingPartyTrust -TargetRelyingParty $rp -additionalauthenticationr
Then it prompts me for MFA.
ALso i want to be able to exclude users using ActiveSync. So if an ActiveSync user comes through then do not prompt for MFA
Set-AdfsRelyingPartyTrust -TargetRelyingParty $rp -additionalauthenticationr
Notice True is Bolded
But when i change it to false:
Set-AdfsRelyingPartyTrust -TargetRelyingParty $rp -additionalauthenticationr
Then it prompts me for MFA.
ALso i want to be able to exclude users using ActiveSync. So if an ActiveSync user comes through then do not prompt for MFA
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Well you cannot have both the "proxy" clause and "insidecorporatenetwork" set to true. Unless you are doing some fancy internal routing. Also, you should only enforce MFA on the Passive endpoint, as otherwise apps like Outlook/ActiveSync/non-MFA
Try something like this:
Try something like this:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
Value == "s-1-5-21-13664088-3370380461-338043368-14102"]
&& c1:[Type ==
"http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value ==
"false"]
&& c2:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms
-endpoint-absolute-path", Value =~ "(/adfs/ls)|(/adfs/oauth2)"]
=> issue(Type =
"http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod",
Value = "http://schemas.microsoft.com/claims/multipleauthn");
so
Also is there a way to do the same thing but in a file?
I uploaded the file. so when i import the file can i
testclaims.txt
c2:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms
-endpoint-absolute-path", Value =~ "(/adfs/ls)|(/adfs/oauth2)"] forces mfa to the passive end point?
Also is there a way to do the same thing but in a file?
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
Value == "s-1-5-21-13664088-3370380461-338043368-14102"]
&& c1:[Type ==
"http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value ==
"false"]
&& c2:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms
-endpoint-absolute-path", Value =~ "(/adfs/ls)|(/adfs/oauth2)"]
=> issue(Type =
"http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod",
Value = "http://schemas.microsoft.com/claims/multipleauthn");
I uploaded the file. so when i import the file can i
testclaims.txt
Seems OK. But you're missing the 'labels', which might result in error when processing the rule. Try it like this:
For the second rule, you don't need a specific permit rule. Everything is allowed by default. And since EWS will hit a different endpoint, MFA will not be enforced. You should be fine even without that rule.
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-21-13664088-3370380461-338043368-14102"] && c1:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"] && c2:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value =~ "(/adfs/ls)|(/adfs/oauth2)"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");
For the second rule, you don't need a specific permit rule. Everything is allowed by default. And since EWS will hit a different endpoint, MFA will not be enforced. You should be fine even without that rule.
Also my other question is for security reason i would like to explicitly call out autodiscover, activesync to not require MFA
exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application",alue=="Microsoft.Exchange.Autodiscover"]) && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value=="Microsoft.Exchange.ActiveSync"]) => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");
Thank you Vasil, For education purposes will any other application come through without MFA? for all intents and purposes that would not be a good thing.
Only the ones that are not using the passive endpoint. As MFA (or any 2FA method for that matter) requires a user input via additional components, usually surfaced via a browser control, such apps will not be able to connect anyway. Now, if you have switched to using ADAL, things change a bit, but that's another story.
ADAL is still in preview and has issues with for example Lync. When and if you decide to switch to ADAL, you will have to rework your claims rules as all clients will use the Passive endpoint. Check for example here: http://social.technet.microsoft.com/wiki/contents/articles/30253.office-2013-and-office-365-proplus-modern-authentication-and-client-access-filtering-policies-things-to-know-before-onboarding.aspx
Premium Content
You need an Expert Office subscription to comment.Start Free Trial