locked
Deny Specific IP/Range from Accessing ADFS 3.0 Microsoft Office 365 RRS feed

  • Question

  • I'm working on a custom claim to match one of two specific IP and deny the claim if it's either

    Here's the regex (IP changed for fun to 1.2.3.4 and 5.6.7.8

    c:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip", Value =~ "(^1\.2\.3\.4|^5\.6\.7\.8)"] => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "DenyUsersWithClaim");

    It doesn't seem to be working as expected, I'm still seeing bad username and password attempts from those IPs in the event logs like:

    Token validation failed. See inner exception for more details.
    Additional Data
    Activity ID: 00000000-0000-0000-0000-000000000000
    Token Type:
    http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName 
    Client IP:
    1.2.3.4,{Exchange Online Server IP} 

    Error message:
    username@contoso.com-The user name or password is incorrect

    Is my syntax or regex off for ADFS 3?

    • Edited by BYoung1750 Friday, June 30, 2017 5:52 PM hit enter too soon
    Friday, June 30, 2017 5:49 PM

Answers

  • You cannot block an authentication attempt based on issuance transform rules.

    Rules are processed only after a successful authentication.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, June 30, 2017 8:47 PM

All replies

  • You cannot block an authentication attempt based on issuance transform rules.

    Rules are processed only after a successful authentication.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, June 30, 2017 8:47 PM
  • Hi Pierre

    Then what do you do if you want to block validation attempts from a specific IP-range?

    Friday, October 27, 2017 11:20 AM
  • It depends where it comes from. If it comes directly from a client, you can block the IP in the perimeter firewall. If the request is proxied by a cloud service (like Active Sync clients being proxied by Exchange Online) then you have to look if the cloud service has an option to block this IP address.

    Please create a new thread as this one as been marked as answered.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, October 27, 2017 2:34 PM
  • Thank you

    I will create a new thread.

    Wednesday, November 1, 2017 2:44 PM