locked
Block access to O365 using UserAgentString - ADFS 2016 Claim Rule RRS feed

  • Question

  • Objective Some what similar to : https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/access-control-policies-w2k12#scenario3 

    My requirement

    • Android user - Allow Application Based Access
    • Android User - Deny Browser based Access

    UserAgentString for browser : Mozilla/5.0 (Linux; Android 8.0.0; SM-G955U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.99 Mobile Safari"

    Any help or suggestion would be appreciated.

    Regard,

    Manoj

    Thursday, January 17, 2019 8:13 PM

Answers

  • It is not recommended to base authorization decisions on the user-agent string as it is arbitrarily set by the user-agent (in other words, you can configure a browser or an application to send whatever user-agent string you want).

    You should use some sort of device registration and base the authorization on the fact the device is registered or not. And as Jorge suggested, this is possible with Azure AD Conditional Access Policies. 

     

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, January 22, 2019 1:40 PM
  • Thanks for the suggestion. Sure, will achieve this using Azure AD.

    Regards,

    Manoj

    Wednesday, January 23, 2019 2:32 AM

All replies

  • why are you trying to do this in ADFS and not through CA policies in AAD?

    IMHO, you should use Azure AD Conditional Access


    Cheers,

    Jorge de Almeida Pinto

    Lead Consultant | MVP Enterprise Mobility & Security | IAM Technologies

    COMMUNITY...:

    REQUEST: Please mark as answer if it helped you. Thanks!

    DISCLAIMER: This post is provided "AS IS" with no warranties of any kind, either expressed or implied, and confers no rights! Always evaluate/test yourself before using/implementing this!

    Friday, January 18, 2019 1:05 PM
  • It is not recommended to base authorization decisions on the user-agent string as it is arbitrarily set by the user-agent (in other words, you can configure a browser or an application to send whatever user-agent string you want).

    You should use some sort of device registration and base the authorization on the fact the device is registered or not. And as Jorge suggested, this is possible with Azure AD Conditional Access Policies. 

     

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, January 22, 2019 1:40 PM
  • Thanks for the suggestion. Sure, will achieve this using Azure AD.

    Regards,

    Manoj

    Wednesday, January 23, 2019 2:32 AM