Nathan Vanderwyst
asked on
Office 365 Restrict External Access Server 2012 R2 ADFS Policy
I have followed followed "Scenario 4: Block all external access to Office 365 except for designated Active Directory groups" using the link I have provided at the bottom, but it is not working. Is there something else I need to do? I believe I have the correct entries which I have provided below. I have the rules in the correct order per instructions with the default Permit Access to All Users at the bottom. You can see I have internal ip address ranges for 192.168.1.1 to 192.168.1.255,10.0.0.1 to 10.0.0.255, and lastly 172.16.1.1 to 172.16.1.255 for the x-ms-forwarded-client-ip values and built them using the online regex builder (i.e., http://www.analyticsmarket.com/freetools/ipregex). I obtained the AD Group SID using powershell command (i.e., Get-ADGroup -Filter {Name -like "pa*"} | Select Name,SID | Format-Table -Auto) . Please help.
c1:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip", Value =~ "^192\.168\.1\.([1-9]|[1-9 ][0-9]|1([ 0-9][0-9]) |2([0-4][0 -9]|5[0-5] ))$|^10\.0 \.0\.([1-9 ]|[1-9][0- 9]|1([0-9] [0-9])|2([ 0-4][0-9]| 5[0-5]))$| ^172\.16\. 1\.([1-9]| [1-9][0-9] |1([0-9][0 -9])|2([0- 4][0-9]|5[ 0-5]))$"] && c2:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"] => issue(Type = "http://custom/ipoutsiderange", Value = "true");
NOT EXISTS([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-21-0220945662-31112 32555-7257 89543-3896 7718"]) => add(Type = "http://custom/groupsid", Value = "fail");
c1:[Type == "http://custom/ipoutsiderange", Value == "true"] && c2:[Type == "http://custom/groupsid", Value == "fail"] => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "DenyUsersWithClaim");
Configuring Client Access Policies
c1:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip", Value =~ "^192\.168\.1\.([1-9]|[1-9
NOT EXISTS([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-21-0220945662-31112
c1:[Type == "http://custom/ipoutsiderange", Value == "true"] && c2:[Type == "http://custom/groupsid", Value == "fail"] => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "DenyUsersWithClaim");
Configuring Client Access Policies
Check the event logs, you should see all the claims/values there. For Exchange Online related traffic, the forwarded IP might be that of the MS serves, depending on the client in use.
ASKER
I did the traces but I don't understand how to read them.
ClaimType http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-ip Value 70.198.50.124 ValueType http://www.w3.org/2001/XMLSchema#string Issuer CLIENT CONTEXT OriginalIssuer CLIENT CONTEXT ClaimType http://schemas.microsoft.com/2012/01/requestcontext/claims/relyingpartytrustid Value https://login.microsoftonline.com/login.srf ValueType http://www.w3.org/2001/XMLSchema#string Issuer CLIENT CONTEXT OriginalIssuer CLIENT CONTEXT ClaimType http://schemas.microsoft.com/2012/01/requestcontext/claims/client-request-id Value 6a59ee2a-bf1f-4bd0-b00f-77 b0b5a0aac4 ValueType http://www.w3.org/2001/XMLSchema#string Issuer CLIENT CONTEXT OriginalIssuer CLIENT CONTEXT ClaimType http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork Value true ValueType http://www.w3.org/2001/XMLSchema#boolean Issuer CLIENT CONTEXT OriginalIssuer CLIENT CONTEXT ClaimType http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path Value /adfs/ls/ ValueType http://www.w3.org/2001/XMLSchema#string Issuer CLIENT CONTEXT OriginalIssuer CLIENT CONTEXT ClaimType http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent Value Mozilla/5.0 (iPad; CPU OS 9_3_4 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13G35 Safari/601.1 ValueType http://www.w3.org/2001/XMLSchema#string Issuer CLIENT CONTEXT OriginalIssuer CLIENT CONTEXT ClaimType http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid Value S-1-18-2 ValueType http://www.w3.org/2001/XMLSchema#string Issuer AD AUTHORITY OriginalIssuer AD AUTHORITY Value S-1-5-21-1915377267-120828 6587-19020 94214-1157 Value S-1-5-21-1915377267-120828 6587-19020 94214-1155 Value S-1-5-21-1915377267-120828 6587-19020 94214-1151 Value S-1-5-21-1915377267-120828 6587-19020 94214-1123 Value S-1-5-21-1915377267-120828 6587-19020 94214-1147 Value S-1-5-15 Value S-1-5-11 Value S-1-5-2 Value S-1-5-32-554 Value S-1-5-32-574 Value S-1-5-32-545 Value S-1-1-0
ClaimType http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-ip Value 70.198.50.124 ValueType http://www.w3.org/2001/XMLSchema#string Issuer CLIENT CONTEXT OriginalIssuer CLIENT CONTEXT ClaimType http://schemas.microsoft.com/2012/01/requestcontext/claims/relyingpartytrustid Value https://login.microsoftonline.com/login.srf ValueType http://www.w3.org/2001/XMLSchema#string Issuer CLIENT CONTEXT OriginalIssuer CLIENT CONTEXT ClaimType http://schemas.microsoft.com/2012/01/requestcontext/claims/client-request-id Value 6a59ee2a-bf1f-4bd0-b00f-77
Simply look for the claim and its value. In the above example, the http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork claim has a value True, so the rule will not act upon it.
ASKER
How can this be since I was testing using an iPad over a cellular connection. It should have evaluated to FALSE. Where can I see the values being passed that are evaluated?
This claim in particular is added by the WAP, so check there. If you are using any 3rd party product for replacement of the AD FS proxy, most likely they dont support the claim.
ASKER
we host adfs on premises and there is no WAP.
Well there's your problem. You need to have a WAP server in order to distinguish external/internal requests. Otherwise the http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork claim will always evaluate to True and you need to remove the corresponding checks for the claims rule.
ASKER
That doesn't make sense, why would Office 365 need to use WAP? I never even seen anywhere in any of the configuration of ADFS or Office 365 or AAD Connect or in Azure for WAP. I never ran across any documentation for it either. What am I not understanding? Do you have any suggested URL's to follow specifically for O365 ADFS claims rules with WAP configuration?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for your help.