REGEX FORMAT, ADFS

Guess I need to know more. Where are you trying to add IP addresses? In the Claim Issuance policy? IN the Relying party trust?

AD FS claims rules do not support CIDR notation, you have to "expand" the ranges. Here's an example:

NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip", Value =~ "\b145\.61\.20\.100\b|\b15\.61\.201\.100\b|\b15\.61\.200\.23\b|\b15\.61\.201\.23\b|\b82\.10\.214\.122\b|\b83\.35\.64\.15\b|\b20\.241\.82\.181\b\b"])

Select allOpen in new window

More details here: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/access-control-policies-w2k12#regular-expressions

i am trying to edit claim rules under issuance authorization rule- microsoft 365 identity platform

how do i convert the ip 10.x.x.x to regex format , i need to allow those ip's.

You want to match the entire 10.x.x.x subnet?

i have 5 ip address which i need to allow under claim rule

they are staring with 10.90.x.x

i have existing rule which says block all external access to office 365 except active sync

should i add under that or create new regex if so how should i add

i need to just add 5 ip address,

vishal

how do i add 10.90.x.x. i have 5 ip address to be added  as allowed under claim rules

10.20.10.1-255
10.20.20.1-255
10.20.30.1-255

what should be the regex format for allowing these ip in claim rule

need to whitelist the ip

I am sorry I read it so

10.80.113.27-30

it will be \b10\.80\.113\.27\b
b10\.80\.113\.28\b
b10\.80\.113\.29\b

do I sound correct?

it is 10.20.10.1-255
 10.20.20.1-255
 10.20.30.1-255 and not till 25

so number should be increased

10.80.113.27-30

it will be \b10\.80\.113\.27\b
b10\.80\.113\.28\b
b10\.80\.113\.29\b

do I sound correct?

as i matched on analytics site , it says syntex error

\b10\.20\.(10|20|30)\.([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-5][0-9])\b

thanks jeff, need to convert below
10.80.113.27-30

any help would be highly appreciated

that one is pretty easy
\b10\.80\.113\.(27|28|29|30)\b

But you may want to look at this article. It explains things  a little better
https://blogs.technet.microsoft.com/askds/2012/06/26/an-adfs-claims-rules-adventure/

thanks a lot , looking at it

just 1 question jeff

as we have
 10.20.10.1-255
 10.20.20.1-255
 10.20.30.1-255

you wrote \b10\.20\.(10|20|30)\.([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-5][0-9])\b

regarding this -2[0-5][0-9])\b, didnt get it clearly?

sorry you wrote twice -[1-9]|[1-9][0-9]|1[0-9][0-9] ?

1-9 = just that .1 - .9
[1-9][0-9] = .10 - .99
1[0-9][0-9] = .100 - .199
 and before the 2[0-5][0-9] covers .200 to .259 but that is no big deal. Obviously 256 - 259 will never happen. Just did that so we wouldn't have a long string addressing each block of 10

The | are or symbols So it reads 1-9 or 10-99 or 100-199 or 200-259

i meant you wrote twice you wrote twice -[1-9]|[1-9][0-9]|1[0-9][0-9] ? sorry for the confusion

thanks a lot, let me look

what is the advantage of using IP in regex on ADFS server , is it just for office 365 connectivity?

Above was my last question. thanks

I would assume it is to control who can access ADFS. I guess you control who can submit a claim but in my humble opinion, if you don't want external users using ADFS, I imagine you could do this with an Access Control Policy . So, to me, the only advantage is it helps you understand RegEx expressions a little more. Others may have found uses for this better than me and can explain it better but we don't go that draconian in our security. We have one RPT that has a custom access control policy but that is for Intranet users only

Should I add in off hrs the up or in production hrs

Will it affect anything if I add in office hrs

As I said, never worked with this level of blocking before but as a rule, best to default to after hours if you aren't sure. That way you can test without others yelling at you

How should I validate if it is working correctly

Once I add these ups in claim rule will it be effective right away

Ips

I have no real clue as to what you are trying to accomplish. I have never tried to limit the IPs before using RegEx expressions. Before you make changes, you should be fully aware of what you are trying to do. Messing with the defaults in ADFS without knowing what they do should only happen in a test environment. I'm sorry. I can tell you how to write Regex but as far as putting it into production, I would never try it without having a test network setup and doing it there. You should reach out to Vasil about this. I think he is more up on this subject than me. I run 2 ADFS farms and have some customization but nothing this limiting.