locked
Capabilities conditional access policies RRS feed

  • Question

  • Do the different versions of ADFS have different CAP capabilities 


    • Edited by ME5555 Tuesday, April 5, 2016 3:08 PM
    Saturday, April 2, 2016 1:19 PM

Answers

  • To determine whether or not the client went through a proxy (hence that the client is connected externally), you can check for the presence of the following claim type:

    http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy

    Note that will also break access from Active Sync Client having mailing box on the cloud and trying to access their mailbox from the internal device. Here are some more info: https://technet.microsoft.com/en-us/library/hh526961(v=ws.10).aspx

    For the domain joined part, you cannot do it with ADFS 2.0. One way to do it would be to use Workplace Joined devices with the Device Registration Service of ADFS on Windows Server 2012 R2. Which leads me to the main question, why can't you upgrade? That's a fairly straight forward process with almost no service interruption (due the parallel run upgrade path): https://technet.microsoft.com/en-us/library/jj647765.aspx.

    What do you think would be blocking for you?


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Saturday, April 2, 2016 9:27 PM
  • We've decided to go to ADFS 3.0.  You indicated that the migration is painless.... but the pain associated with political jockeying to get the right solution approved is often greater than the technology challenges.
    Thursday, April 21, 2016 3:16 PM

All replies

  • To determine whether or not the client went through a proxy (hence that the client is connected externally), you can check for the presence of the following claim type:

    http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy

    Note that will also break access from Active Sync Client having mailing box on the cloud and trying to access their mailbox from the internal device. Here are some more info: https://technet.microsoft.com/en-us/library/hh526961(v=ws.10).aspx

    For the domain joined part, you cannot do it with ADFS 2.0. One way to do it would be to use Workplace Joined devices with the Device Registration Service of ADFS on Windows Server 2012 R2. Which leads me to the main question, why can't you upgrade? That's a fairly straight forward process with almost no service interruption (due the parallel run upgrade path): https://technet.microsoft.com/en-us/library/jj647765.aspx.

    What do you think would be blocking for you?


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Saturday, April 2, 2016 9:27 PM
  • Any inisght into limitations this approach has as opposed to upgrading to adfs 3?
    • Edited by ME5555 Tuesday, April 5, 2016 3:08 PM
    Monday, April 4, 2016 11:21 PM
  • You can limit certain access both with ADFS 2.x and ADFS 3.0.

    With ADFS 3.0, you can also leverage the identify of the device into account. But for the scenarios listed for Office 365, they have the same capabilities.

    Now I'm curious, why wouldn't you go to ADFS 3? I mean it has so many more features than the 2.0, and the migration is painless. What is blocking for you?


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, April 5, 2016 1:56 PM
  • We've decided to go to ADFS 3.0.  You indicated that the migration is painless.... but the pain associated with political jockeying to get the right solution approved is often greater than the technology challenges.
    Thursday, April 21, 2016 3:16 PM