locked
Access restriction using ADFS for O365 RRS feed

  • Question

  •  We have a requirement to restrict users connecting to outlook in O365 outside office network. We configured ADFS and as per the steps mentioned below tried to Block all external access to Office 365 (Scenario 1). What happens is even the internal user got restricted after enabling the policy. 

    https://technet.microsoft.com/en-us/library/dn592182.aspx?f=255&MSPPError=-2147217396

    Note : We had specified the IP that need to be allowed in Policy builder

    exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"])

     && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip", Value =~ "\bx\.x\.x\.x\b"])

     => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");

    This was the claim being used and not instead of x , we gave public ip

    Any help would be much appreciated


    Anoop


    Tuesday, July 26, 2016 5:25 AM

All replies

  • Any help ?


    Anoop

    Wednesday, August 3, 2016 5:25 AM
  • The internal users shouldn't have the http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy claim in their pipeline. Have you checked your DNS resolution? Internal client should resolve the URL of the ADFS farm into the internal IP address of your ADFS farm and not the WAP. Can you check this?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, August 3, 2016 2:16 PM
  • You could achieve this by not exposing your ADFS service to the public Internet, therefore devices not using AD-based DNS would not resolve the ADFS service, therefore user logins would fail. 

    http://blog.ryanbetts.co.uk

    Friday, August 5, 2016 3:07 AM
  • Any update here?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, August 11, 2016 9:00 PM