ADFS: Limit use of Microsoft Teams to certain IP Addresses
Modern Authentication is NOT enabled.
Is this possible?
When I block all from the outside I do not see Teams identifying itself here:
http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application
I only see:
Is this possible?
When I block all from the outside I do not see Teams identifying itself here:
http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application
I only see:
Caller identity:
http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E)
and
Caller identity:
http://schemas.microsoft.com/claims/authnmethodsreferences
http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password
http://schemas.microsoft.com/claims/authnmethodsreferences
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod
http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password
http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-ip
10.20.200.40
http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip
44.141.144.7
http://schemas.microsoft.com/2012/01/requestcontext/claims/relyingpartytrustid
https://login.microsoftonline.com/login.srf
http://schemas.microsoft.com/2012/01/requestcontext/claims/client-request-id
ff2269e4-2692-xxxx-xxxx-debd2c0646f1
http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy
se-c-wp01
http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork
false
http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path
/adfs/ls/
The x-ms-client-application claim is ONLY added for Exchange related requests, when not using MA. You cannot use this claim for any other applications, and without MA enabled, you cannot use Azure AD Conditional access to restrict Teams (which is the preferred method).
ASKER
Vasil,
I don't think conditional access is an option for this company as their large client base does not support modern authentication - tons of Office 2010. However, I did see this new article regarding conditional access and teams... Out of curiosity, will this now work or am I missing something?
https://blogs.technet.microsoft.com/skypehybridguy/2017/08/31/microsoft-teams-restrict-usage-with-azure-ad-conditional-access/
Also, I did try to block all browser-based apps (without conditional access), not specific to teams, and that seemed to work. Does that seem correct to you? I recognize I asked specifically for Teams but curious if this might be an alternate solution.
I suppose the key piece is the x-ms-endpoint-absolute-pat
Thank you.
I don't think conditional access is an option for this company as their large client base does not support modern authentication - tons of Office 2010. However, I did see this new article regarding conditional access and teams... Out of curiosity, will this now work or am I missing something?
https://blogs.technet.microsoft.com/skypehybridguy/2017/08/31/microsoft-teams-restrict-usage-with-azure-ad-conditional-access/
Also, I did try to block all browser-based apps (without conditional access), not specific to teams, and that seemed to work. Does that seem correct to you? I recognize I asked specifically for Teams but curious if this might be an alternate solution.
exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"])
&& NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip", Value =~ "\b43\.144\.141\.22\b"])
&& NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value == "/adfs/ls/"])
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");I suppose the key piece is the x-ms-endpoint-absolute-pat
Thank you.
Problem is, you will be blocking way more than just Teams. As to conditional access, it should work, as the Teams clients is MA-enabled and the login process should respect the policy set in AAD. The difference compared to AD FS being, Microsoft can target only Teams related traffic on their end, while if you do it on the AD FS side, you will end up blocking other stuff.
ASKER
Vasil,
Thank you.
Sorry about that - I misread your original reply.
Your reply makes me want to ask a tangential question, ...must modern authentication always be used with conditional access? In other words, can conditional access be used somehow (with products, other than teams) without turning on modern authentication? I am thinking that web-based apps might...correct?
So what are the apps, sans conditional access, that can be isolated/blocked/allowed with just ADFS? Does it break down into 2 categories?
1. All web-based apps?
2. Mail client access? - Outlook/ActiveSync/?
a. Autodiscover
b. EWS
c. OAB
d. MAPI
e. ActiveSync
What about Skype for Business or any other thick client access (does the above list prevent access to any other apps)?
I suppose ADFS was only designed for certain legacy scenarios and MS is investing in Azure AD (premium) moving forward.. Perhaps ADFS was meant to do SSO primarily?
In the future, would we use conditional access to provide conditional access :-) in conjunction with ADFS for SSO (or when GA, pass-thru auth when just authenticating to Azure/365?)?
Thanks again
Thank you.
Sorry about that - I misread your original reply.
Your reply makes me want to ask a tangential question, ...must modern authentication always be used with conditional access? In other words, can conditional access be used somehow (with products, other than teams) without turning on modern authentication? I am thinking that web-based apps might...correct?
So what are the apps, sans conditional access, that can be isolated/blocked/allowed with just ADFS? Does it break down into 2 categories?
1. All web-based apps?
2. Mail client access? - Outlook/ActiveSync/?
a. Autodiscover
b. EWS
c. OAB
d. MAPI
e. ActiveSync
What about Skype for Business or any other thick client access (does the above list prevent access to any other apps)?
I suppose ADFS was only designed for certain legacy scenarios and MS is investing in Azure AD (premium) moving forward.. Perhaps ADFS was meant to do SSO primarily?
In the future, would we use conditional access to provide conditional access :-) in conjunction with ADFS for SSO (or when GA, pass-thru auth when just authenticating to Azure/365?)?
Thanks again
Yes, Azure AD Conditional access only works (depends on) MA. But, you can just as well configure it on-premises via the AD FS claims rules, at least in some cases.
Blocking *specific* apps is the issue with AD FS, as often you have no way to distinguish between a browser or an app that simply sends the user agent string of a browser. When not using MA, Exchange related applications can be controlled more granularly, as the request is proxied via Exchange Online servers and additional information is added. But that's just a special case, needed because only basic auth was supported back in the day.
And yes, we're slowly but surely being pushed towards AAD Conditional Access. Not necessarily a bad thing, as Microsoft has more control there and can make sure that different applications are treated differently. But it costs some extra $$$, unless you use any other AAD Premium functionalities.
Blocking *specific* apps is the issue with AD FS, as often you have no way to distinguish between a browser or an app that simply sends the user agent string of a browser. When not using MA, Exchange related applications can be controlled more granularly, as the request is proxied via Exchange Online servers and additional information is added. But that's just a special case, needed because only basic auth was supported back in the day.
And yes, we're slowly but surely being pushed towards AAD Conditional Access. Not necessarily a bad thing, as Microsoft has more control there and can make sure that different applications are treated differently. But it costs some extra $$$, unless you use any other AAD Premium functionalities.
ASKER
Vasil,
Would it be fair to say this:
with just ADFS, you can only isolate ActiveSync, WebApps, Autodiscover, OAB, EWS and MAPI. Basically,
1. ActiveSync
2. Outlook (anything else that uses EWS, OAB, MAPI, Autodiscover) what are those applications?
3. OWA/SharePoint/Teams/Other
Does Skype fall under number 2? What other apps fall under #'s 2 and 3?
I am trying to pin down a list if possible.
I noticed this is the list under conditional access:
Would it be fair to say this:
with just ADFS, you can only isolate ActiveSync, WebApps, Autodiscover, OAB, EWS and MAPI. Basically,
1. ActiveSync
2. Outlook (anything else that uses EWS, OAB, MAPI, Autodiscover) what are those applications?
3. OWA/SharePoint/Teams/Other
Does Skype fall under number 2? What other apps fall under #'s 2 and 3?
I am trying to pin down a list if possible.
I noticed this is the list under conditional access:
ASKER
I am finding that the token lifetime on the Teams Mobile App (at least) is so long and does not seem to be adjustable. I thought it would be 1 hour but I suppose not? I even adjusted what I found here: https://tristanwatkins.com/coordinating-adfs-2012-r2-token-lifetime-logon-prompt-enforce-revocation-session-duration-public-network/ to no avail.
SO, if users leave the internal corporate network, they can continue to use Teams for as long as they want (thus far in my testing)
Any ideas why? Thought it was the same token kept in Azure.
Conditional Access does shut it down at exactly one hour. nice.
SO, if users leave the internal corporate network, they can continue to use Teams for as long as they want (thus far in my testing)
Any ideas why? Thought it was the same token kept in Azure.
Conditional Access does shut it down at exactly one hour. nice.
The AD FS token lifetime doesnt matter that much, it's the AAD one you have to adjust: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-configurable-token-lifetimes
Changing network location doesnt invalidate tokens, that's why you need to use conditional access or revoke them manually.
Changing network location doesnt invalidate tokens, that's why you need to use conditional access or revoke them manually.
ASKER
Thank you Vasil,
How do the claim rules to restrict Outlook, Web and ActiveSync by location work then?
Why is this different?
How do the claim rules to restrict Outlook, Web and ActiveSync by location work then?
Why is this different?
They work by preventing the issuing of the token, not by revoking already existing tokens. But Exchange Online (without Modern auth) is a different story.
ASKER
Does that mean, to get location based blocking (when locations change) one would have to
1. move to conditional access in Azure or
2. would just ADFS with Modern Authentication allow for
a. either the revocation of the token or
b. a short token lifetime thus forcing the user to have to authenticate (I suppose this is in preview and shouldn't really be recommended to clients or can this be done at ADFS when modern authentication is enabled?)
By the way, thanks so much for showing me the Configurable token lifetimes in Azure Active Directory article.
1. move to conditional access in Azure or
2. would just ADFS with Modern Authentication allow for
a. either the revocation of the token or
b. a short token lifetime thus forcing the user to have to authenticate (I suppose this is in preview and shouldn't really be recommended to clients or can this be done at ADFS when modern authentication is enabled?)
By the way, thanks so much for showing me the Configurable token lifetimes in Azure Active Directory article.
The problem is getting the client to "talk" to the AD FS server, as in the Modern auth scenario the goal is the opposite, kind of. I guess if you change the token lifetimes to something very short, so that the client is forced to re-authenticate to the AD FS server more often, it will work just fine. Then again, it will cause users to get prompted more often, so not a great experience. Revoking is also possible with "just AD FS", but limited compared to what we have now as part of Azure AD Conditional Access.
Sorry for the delayed reply btw, was at Ignite :)
Sorry for the delayed reply btw, was at Ignite :)
ASKER
Thanks Vasil,
Oh really? How is revoking possible?
I noticed that with Conditional Access, it still takes an hour for someone to get kicked off. Is that your experience? I was testing with Teams APP
Oh really? How is revoking possible?
I noticed that with Conditional Access, it still takes an hour for someone to get kicked off. Is that your experience? I was testing with Teams APP
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER