locked
Set-AdfsRelyingPartyTrust -AdditionalAuthenticationRules error POLICY0030 RRS feed

  • Question

  • Hi,

    I'm having difficulty configuring the right authentication policy for my Office 365 RPT through PowerShell. What I want to achieve is to have Azure MFA applied only for the online O365 resources - Exchange Online, Office Portal, SharePoint Online etc., but not for desktop applications such as Outlook and Skype for Business or mobile applications such as InTune or Outlook. Ideally I'd have MFA enabled for those desktop applications as well but we're using a hybrid SfB deployment which isn't fully supported for MFA, so the user experience is terrible (multiple MFA prompts at log-in).

    I ran this:

    Set-AdfsRelyingPartyTrust –TargetRelyingParty $rp –AdditionalAuthenticationRules ‘c:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"] && c1:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path",
     Value =~ "(/adfs/ls)|(/adfs/oauth2)"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");'


    But it didn't quite produce the desired effect - I was still being prompted to authenticate with MFA for Outlook and SfB, whereas I'm logged straight in if MFA is disabled.

    Next I tried to run this:

    Set-AdfsRelyingPartyTrust –TargetRelyingParty $rp –AdditionalAuthenticationRules 'c1:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"] && c1:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path",
     Value =~ "(/adfs/ls)|(/adfs/oauth2)"] && NOT EXISTS([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value == "Microsoft.Exchange.Autodiscover"]) && NOT EXISTS([Type
     == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value == "Microsoft.Exchange.ActiveSync"]) => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod",
     Value = "http://schemas.microsoft.com/claims/multipleauthn");'


    Hoping it'll give me the desired behaviour. However I can't get it to run, despite all sorts of tweaking. The error I'm getting is:

    Parser error: 'POLICY0030: Syntax error, unexpected NOT, expecting one of the following: O_SQ_BRACKET IDENTIFIER .'

    Q1 - will this policy give me my desired behaviour?

    Q2 - why is it failing?

    Any help appreciated.

    Thanks,

    Max


    • Edited by Max Pountney Thursday, August 10, 2017 7:48 AM Added code blocks
    Wednesday, August 9, 2017 11:50 AM

Answers

  • The syntax is correct now. Thanks!

    Set-AdfsRelyingPartyTrust –TargetRelyingParty $rp –AdditionalAuthenticationRules 'EXISTS([Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"]) && EXISTS([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value =~ "(/adfs/ls)|(/adfs/oauth2)"]) && NOT EXISTS([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value=="Microsoft.Exchange.Autodiscover"]) && NOT EXISTS([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value=="Microsoft.Exchange.ActiveSync"]) => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");'

    I'm still getting an error, however.

    ADMIN0031: Configuring multiple policies of type' Issuance' is not supported.

    This post suggests that the only way around the error is to recreate the RPT... surely there must be a better solution. I've also tried restarting the ADFS service on all nodes - the change definitely didn't take.

    • Marked as answer by Max Pountney Thursday, August 24, 2017 3:30 PM
    Friday, August 11, 2017 2:31 PM

All replies

  • From a pure syntax perspective, you cannot use the c1: notation is you group them with EXISTS/NOT EXISTS clauses. You'll have to go all-in with the grouping. Something like:

    EXISTS([Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"])
     && EXISTS([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value =~ "(/adfs/ls)|(/adfs/oauth2)"])
     && NOT EXISTS([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value == "Microsoft.Exchange.Autodiscover"])
     && NOT EXISTS([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value == "Microsoft.Exchange.ActiveSync"])
     => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");
    

    But that's just from a syntax perspective. Now, looking at what you are trying to achieve, you'd better start with Azure AD Conditional Access and then from what you cannot do there, we can have a look at how to do it in ADFS. https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, August 9, 2017 5:15 PM
  • Thanks for the feedback. I tried an amended script with your changes but I got the same error.

    Set-AdfsRelyingPartyTrust –TargetRelyingParty $rp –AdditionalAuthenticationRules 'EXISTS([Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"]) && EXISTS[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value =~ "(/adfs/ls)|(/adfs/oauth2)"] && NOT EXISTS([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application”, Value==”Microsoft.Exchange.Autodiscover”]) && NOT EXISTS([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application”, Value==”Microsoft.Exchange.ActiveSync”]) => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");'

    I had a look at Conditional Access. It looks to me like a tool for enforcing conditions like MFA, but not for allowing access to specific applications using specific clients without MFA. If I configure a policy that enforces MFA for Exchange Online then MFA on the users account, the user also has to use MFA for the rest of the O365 suite.

    Thursday, August 10, 2017 2:54 PM
  • You missed a parenthesis "(".

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, August 10, 2017 3:12 PM
  • Oops!

    Set-AdfsRelyingPartyTrust –TargetRelyingParty $rp –AdditionalAuthenticationRules 'EXISTS([Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"]) && EXISTS([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value =~ "(/adfs/ls)|(/adfs/oauth2)"]) && NOT EXISTS([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application”, Value==”Microsoft.Exchange.Autodiscover”]) && NOT EXISTS([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application”, Value==”Microsoft.Exchange.ActiveSync”]) => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");'


    I'm getting a different error now. Parser error: 'POLICY0029: Unexpected input. '

    Thursday, August 10, 2017 3:34 PM
  • You have “ type of quotes instead of ".

    Note that Conditional Access also have the ability to restrict type of clients and used with Intune, you can even create compliance policy and ensure only compliant devices are used to access your Office 365 data. 

     

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, August 10, 2017 3:51 PM
  • Right, thanks - I'll try with the different quotes and feedback.

    Yes, I actually have some basic Conditional Access policies setup for InTune already. But I'm not looking to restrict access at the moment, only to add MFA to specific applications. Ideally MFA would be applied to all apps but there proved to be some compatibility issues - hybrid Skype for Business doesn't work well with it even with Modern Auth enabled, and non-Microsoft clients have mixed levels of support. I could use a Conditional Access policy to restrict access from clients that don't fully support Azure MFA, but I'd be preventing use of some key clients like SfB.


    • Edited by Max Pountney Friday, August 11, 2017 2:15 PM spelling
    Friday, August 11, 2017 8:36 AM
  • The syntax is correct now. Thanks!

    Set-AdfsRelyingPartyTrust –TargetRelyingParty $rp –AdditionalAuthenticationRules 'EXISTS([Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"]) && EXISTS([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value =~ "(/adfs/ls)|(/adfs/oauth2)"]) && NOT EXISTS([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value=="Microsoft.Exchange.Autodiscover"]) && NOT EXISTS([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value=="Microsoft.Exchange.ActiveSync"]) => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");'

    I'm still getting an error, however.

    ADMIN0031: Configuring multiple policies of type' Issuance' is not supported.

    This post suggests that the only way around the error is to recreate the RPT... surely there must be a better solution. I've also tried restarting the ADFS service on all nodes - the change definitely didn't take.

    • Marked as answer by Max Pountney Thursday, August 24, 2017 3:30 PM
    Friday, August 11, 2017 2:31 PM