asked on ADFS Claim Rule: Not allowing internal access
Is there any reason why internal users would not be able to access Outlook when utilizing this claim rule?
Here are the events associated with the requests:
![2017-03-07_0952.png]()
![2017-03-07_0953.png]()
![2017-03-07_0953_001.png]()
exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"])
&& exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "\bS-1-5-21-1292385385-3260344413-318601890-1169\b"])
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "DenyUsersWithClaim");
Here are the events associated with the requests:
* Active Directory Federation Services (ADFS)ExchangeActive DirectoryMicrosoft 365Powershell
Last Comment
Vasil Michev (MVP)
ASKER
So if I may, I suppose my questions are:
1. With split-brain DNS, is there no issue using this syntax instead of listing out all external IP addresses (using x-ms-forwarded-client-ip):
2. Is it fine to not include which application if we are trying to restrict all applications (eg. x-ms-client-application)
3. Is it best to stay away from "insidecorporatenetwork", it seems to be inaccurate in my lab.
1. With split-brain DNS, is there no issue using this syntax instead of listing out all external IP addresses (using x-ms-forwarded-client-ip):
exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"])
2. Is it fine to not include which application if we are trying to restrict all applications (eg. x-ms-client-application)
3. Is it best to stay away from "insidecorporatenetwork", it seems to be inaccurate in my lab.
Exchange Online without Modern Auth is *always* external. You should use the x-ms-forwarded-client-ip claim instead to detect internal users. No need to have x-ms-client-application, it's only added for EO traffic anyway.
Keep the =~ if you are doing a regex match, or remove the "\b" marks!
Keep the =~ if you are doing a regex match, or remove the "\b" marks!
ASKER
apologies, this is without modern authentication...
So in that case, do I always need to specify IPs? or is this sufficient? exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) to specify users are coming from the "outside"?
So in that case, do I always need to specify IPs? or is this sufficient? exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) to specify users are coming from the "outside"?
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Open in new window
changed to:
Open in new window