Link to home
Create AccountLog in
Avatar of K B
K BFlag for United States of America

asked on

ADFS Claim Rule: Not allowing internal access

Is there any reason why internal users would not be able to access Outlook when utilizing this claim rule?

exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"])
 && exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "\bS-1-5-21-1292385385-3260344413-318601890-1169\b"])
 => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "DenyUsersWithClaim");

Open in new window


Here are the events associated with the requests:

User generated image
User generated image
User generated image
Avatar of K B
K B
Flag of United States of America image

ASKER

I just realized I had =~

&& exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "\bS-1-5-21-1292385385-3260344413-318601890-1169\b"])

Open in new window


changed to:

&& exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "\bS-1-5-21-1292385385-3260344413-318601890-1169\b"])

Open in new window

Avatar of K B

ASKER

So if I may, I suppose my questions are:

1.  With split-brain DNS, is there no issue using this syntax instead of listing out all external IP addresses (using x-ms-forwarded-client-ip):
     
exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"])

Open in new window


2.  Is it fine to not include which application if we are trying to restrict all applications (eg. x-ms-client-application)

3.  Is it best to stay away from "insidecorporatenetwork", it seems to be inaccurate in my lab.
Avatar of Vasil Michev (MVP)
Exchange Online without Modern Auth is *always* external. You should use the x-ms-forwarded-client-ip claim instead to detect internal users. No need to have x-ms-client-application, it's only added for EO traffic anyway.

Keep the =~ if you are doing a regex match, or remove the "\b" marks!
Avatar of K B

ASKER

apologies, this is without modern authentication...

So in that case, do I always need to specify IPs? or is this sufficient? exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) to specify users are coming from the "outside"?
ASKER CERTIFIED SOLUTION
Avatar of Vasil Michev (MVP)
Vasil Michev (MVP)
Flag of Bulgaria image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account