locked
Block Office 365 Outlook RPC and POP3 Access from Internet For Group of users using ADFS Custom Claim Rule RRS feed

  • Question

  • Hello Experts,

    We are moving from lotus Domino to Office 365. We have following organisation compliance requirement.

    1. Block Office 365 Outlook RPC Access from Internet for Group of users
    2. Block Office 365 POP3  Access from Internet for Group of Users

    For achieving this requirement we have implemented ADFS & ADFS Proxy server in our environment.  We are new for ADFS and ADFS Proxy.

    We have created following custom claim rule in ADFS server but still blocked users still able to access Outlook RPC and POP3.  

    Please help us to implement correct ADFS custom claim rules.

    1. Block Office 365 Outlook RPC Access from Internet for Group of users

    exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"])

     && exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "S-1-5-21-2094187657-301325705-1977759447-11618"])

     && exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value == "/adfs/services/trust/2005/usernamemixed"])

     && exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value == "Microsoft.Exchange.RPC|Microsoft.Exchange.WebServices"])

     => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");

    1.  Block Office 365 POP3  Access from Internet for Group of Users

    exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"])

     && exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "S-1-5-21-2094187657-301325705-1977759447-11620"])

     && exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value == "Microsoft.Exchange.PopImap|Microsoft.Exchange.SMTP"])

     => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");

    Regards,

    Nitin


    Regards, Nitin Dongre

    • Moved by pbbergs [MSFT] Friday, July 27, 2012 12:04 PM (From:Directory Services)
    Thursday, July 26, 2012 8:18 PM

All replies

  • Please use ADFS forum and ask your question.
    http://social.msdn.microsoft.com/Forums/en/Geneva/


    Since your question is related to Office 365, you may want to post this question in the Microsoft Online/Transition forum:
    http://social.technet.microsoft.com/Forums/en-us/bpostransition


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.


    Friday, July 27, 2012 2:48 AM
  • I'll move this thread to the dedicated office365 forum to fetch better response on the issue.

    http://community.office365.com/en-us/forums/default.aspx


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Friday, July 27, 2012 10:04 AM
  • I would highly recommend posting this in the ADFS forum.  You will get a lot more help that way on this specific topic.  I have a customer that has successfully used claim rules to do exactly what you are attempting to do

    This is what they currently have to block Outlook from an external network:

    NOT exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "SID NUMBER"])

    && exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value =~ "Microsoft.Exchange.RPC"])

    && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip", Value =~ "\bxxx\.xxx\.xxx\..*\b"])

    => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");

    I have masked the IP address and group SID.

    Have a great day,

    Dan


    http://insecurityinc.info

    Monday, July 30, 2012 10:54 PM