ADFS Claims Rules Help for MFA

Currently I'm working on building a lab however I noticed when im external and hit login.microsoftonline.com i get no MFA prompts for:

Set-AdfsRelyingPartyTrust -TargetRelyingParty $rp -additionalauthenticationrules 'exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) && exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", value == "s-1-5-21-13664088-3370380461-338043368-14102"]) && exists([Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", value == "true"]) => issue(type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", value = "http://schemas.microsoft.com/claims/multipleauthn");'

Notice True is Bolded

But when i change it to false:

Set-AdfsRelyingPartyTrust -TargetRelyingParty $rp -additionalauthenticationrules 'exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) && exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", value == "s-1-5-21-13664088-3370380461-338043368-14102"]) && exists([Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", value == "false"]) => issue(type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", value = "http://schemas.microsoft.com/claims/multipleauthn");'

Then it prompts me for MFA.

ALso i want to be able to exclude users using ActiveSync. So if an ActiveSync user comes through then do not prompt for MFA
LVL 1
ntr2defAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Vasil Michev (MVP)Commented:
Well you cannot have both the "proxy" clause and "insidecorporatenetwork" set to true. Unless you are doing some fancy internal routing. Also, you should only enforce MFA on the Passive endpoint, as otherwise apps like Outlook/ActiveSync/non-MFA aware mobile devices will be blocked.

Try something like this:

 c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
                                       Value == "s-1-5-21-13664088-3370380461-338043368-14102"]
                                        && c1:[Type ==
                                       "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value ==
                                       "false"]
                                        && c2:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms
                                       -endpoint-absolute-path", Value =~ "(/adfs/ls)|(/adfs/oauth2)"]
                                        => issue(Type =
                                       "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod",
                                       Value = "http://schemas.microsoft.com/claims/multipleauthn");

Open in new window

ntr2defAuthor Commented:
so
c2:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms
                                       -endpoint-absolute-path", Value =~ "(/adfs/ls)|(/adfs/oauth2)"] forces mfa to the passive end point?

Open in new window


Also is there a way to do the same thing but in a file?
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
                                       Value == "s-1-5-21-13664088-3370380461-338043368-14102"]
                                        && c1:[Type ==
                                       "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value ==
                                       "false"]
                                        && c2:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms
                                       -endpoint-absolute-path", Value =~ "(/adfs/ls)|(/adfs/oauth2)"]
                                        => issue(Type =
                                       "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod",
                                       Value = "http://schemas.microsoft.com/claims/multipleauthn");

Open in new window



I uploaded the file. so when i import the file can i
testclaims.txt
Vasil Michev (MVP)Commented:
Think you kinda pressed the Post button too fast, I don't see the ending of your post :)
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

ntr2defAuthor Commented:
I updated it
ntr2defAuthor Commented:
I've uploaded the txt file for your review
Vasil Michev (MVP)Commented:
Seems OK. But you're missing the 'labels', which might result in error when processing the rule. Try it like this:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-21-13664088-3370380461-338043368-14102"] && c1:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"] && c2:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value =~ "(/adfs/ls)|(/adfs/oauth2)"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn"); 

Open in new window


For the second rule, you don't need a specific permit rule. Everything is allowed by default. And since EWS will hit a different endpoint, MFA will not be enforced. You should be fine even without that rule.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ntr2defAuthor Commented:
so activesync and autodiscover will not require autodiscover correct?
Vasil Michev (MVP)Commented:
Yes, no MFA for those requests, as they will be hitting a different endpoint.
ntr2defAuthor Commented:
Also my other question is for security reason i would like to explicitly call out autodiscover, activesync to not require MFA

exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application",alue=="Microsoft.Exchange.Autodiscover"]) && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value=="Microsoft.Exchange.ActiveSync"]) => issue(Type =                                "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");

Open in new window

Vasil Michev (MVP)Commented:
As explained above, you DO NOT need this rule. Everything Exchange related will NOT require MFA.
ntr2defAuthor Commented:
Thank you Vasil, For education purposes will any other application come through without MFA? for all intents and purposes that would not be a good thing.
Vasil Michev (MVP)Commented:
Only the ones that are not using the passive endpoint. As MFA (or any 2FA method for that matter) requires a user input via additional components, usually surfaced via a browser control, such apps will not be able to connect anyway. Now, if you have switched to using ADAL, things change a bit, but that's another story.
ntr2defAuthor Commented:
So we are going to use ADAL. So then would my rules change again?
Vasil Michev (MVP)Commented:
ADAL is still in preview and has issues with for example Lync. When and if you decide to switch to ADAL, you will have to rework your claims rules as all clients will use the Passive endpoint. Check for example here: http://social.technet.microsoft.com/wiki/contents/articles/30253.office-2013-and-office-365-proplus-modern-authentication-and-client-access-filtering-policies-things-to-know-before-onboarding.aspx
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.