ADFS Claims Rules Help for MFA

ntr2def
ntr2def used Ask the Experts™
on
Currently I'm working on building a lab however I noticed when im external and hit login.microsoftonline.com i get no MFA prompts for:

Set-AdfsRelyingPartyTrust -TargetRelyingParty $rp -additionalauthenticationrules 'exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) && exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", value == "s-1-5-21-13664088-3370380461-338043368-14102"]) && exists([Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", value == "true"]) => issue(type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", value = "http://schemas.microsoft.com/claims/multipleauthn");'

Notice True is Bolded

But when i change it to false:

Set-AdfsRelyingPartyTrust -TargetRelyingParty $rp -additionalauthenticationrules 'exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) && exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", value == "s-1-5-21-13664088-3370380461-338043368-14102"]) && exists([Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", value == "false"]) => issue(type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", value = "http://schemas.microsoft.com/claims/multipleauthn");'

Then it prompts me for MFA.

ALso i want to be able to exclude users using ActiveSync. So if an ActiveSync user comes through then do not prompt for MFA
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Most Valuable Expert 2015
Distinguished Expert 2018
Commented:
Well you cannot have both the "proxy" clause and "insidecorporatenetwork" set to true. Unless you are doing some fancy internal routing. Also, you should only enforce MFA on the Passive endpoint, as otherwise apps like Outlook/ActiveSync/non-MFA aware mobile devices will be blocked.

Try something like this:

 c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
                                       Value == "s-1-5-21-13664088-3370380461-338043368-14102"]
                                        && c1:[Type ==
                                       "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value ==
                                       "false"]
                                        && c2:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms
                                       -endpoint-absolute-path", Value =~ "(/adfs/ls)|(/adfs/oauth2)"]
                                        => issue(Type =
                                       "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod",
                                       Value = "http://schemas.microsoft.com/claims/multipleauthn");

Open in new window

Author

Commented:
so
c2:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms
                                       -endpoint-absolute-path", Value =~ "(/adfs/ls)|(/adfs/oauth2)"] forces mfa to the passive end point?

Open in new window


Also is there a way to do the same thing but in a file?
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
                                       Value == "s-1-5-21-13664088-3370380461-338043368-14102"]
                                        && c1:[Type ==
                                       "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value ==
                                       "false"]
                                        && c2:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms
                                       -endpoint-absolute-path", Value =~ "(/adfs/ls)|(/adfs/oauth2)"]
                                        => issue(Type =
                                       "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod",
                                       Value = "http://schemas.microsoft.com/claims/multipleauthn");

Open in new window



I uploaded the file. so when i import the file can i
testclaims.txt
Most Valuable Expert 2015
Distinguished Expert 2018

Commented:
Think you kinda pressed the Post button too fast, I don't see the ending of your post :)
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
I updated it

Author

Commented:
I've uploaded the txt file for your review
Most Valuable Expert 2015
Distinguished Expert 2018
Commented:
Seems OK. But you're missing the 'labels', which might result in error when processing the rule. Try it like this:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-21-13664088-3370380461-338043368-14102"] && c1:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"] && c2:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value =~ "(/adfs/ls)|(/adfs/oauth2)"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn"); 

Open in new window


For the second rule, you don't need a specific permit rule. Everything is allowed by default. And since EWS will hit a different endpoint, MFA will not be enforced. You should be fine even without that rule.

Author

Commented:
so activesync and autodiscover will not require autodiscover correct?
Most Valuable Expert 2015
Distinguished Expert 2018

Commented:
Yes, no MFA for those requests, as they will be hitting a different endpoint.

Author

Commented:
Also my other question is for security reason i would like to explicitly call out autodiscover, activesync to not require MFA

exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application",alue=="Microsoft.Exchange.Autodiscover"]) && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value=="Microsoft.Exchange.ActiveSync"]) => issue(Type =                                "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");

Open in new window

Most Valuable Expert 2015
Distinguished Expert 2018

Commented:
As explained above, you DO NOT need this rule. Everything Exchange related will NOT require MFA.

Author

Commented:
Thank you Vasil, For education purposes will any other application come through without MFA? for all intents and purposes that would not be a good thing.
Most Valuable Expert 2015
Distinguished Expert 2018

Commented:
Only the ones that are not using the passive endpoint. As MFA (or any 2FA method for that matter) requires a user input via additional components, usually surfaced via a browser control, such apps will not be able to connect anyway. Now, if you have switched to using ADAL, things change a bit, but that's another story.

Author

Commented:
So we are going to use ADAL. So then would my rules change again?
Most Valuable Expert 2015
Distinguished Expert 2018

Commented:
ADAL is still in preview and has issues with for example Lync. When and if you decide to switch to ADAL, you will have to rework your claims rules as all clients will use the Passive endpoint. Check for example here: http://social.technet.microsoft.com/wiki/contents/articles/30253.office-2013-and-office-365-proplus-modern-authentication-and-client-access-filtering-policies-things-to-know-before-onboarding.aspx

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial