This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

ADFS Claim Rule Help - Office 365 (MFA)

Question
0

Sign in to vote
Hi,

we want to implement the following scenario for our ADFS infrastrucutre for Office 365 access. All rules should be only triggered on Browsers and no other protocols.

Generally nobody should have Browser-Based access to Office 365
there is one AD security group which should have internally direct browser based Access to O365 and when connecting from externally MFA should be triggered.

I am not 100% sure how to solve that.

Thanks in advance
Michael
Monday, March 27, 2017 6:11 AM

All replies

0

Sign in to vote
Hi,

I have figured out some rules but I am not 100 percent sure in which order I should apply them.

I think this should be the correct order

c:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "true"] && c1:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value =~ "(/adfs/ls)|(/adfs/oauth2)"] && c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-21-<SID>"] => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");

c:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"] && c1:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value =~ "(/adfs/ls)|(/adfs/oauth2)"] && c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-21-<SID>"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-21-<SID of Domain Users>"] => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny",Value = "DenyUsersWithClaim");

Could anybody give me feedback if this should work?

Thanks,
Michael
Tuesday, March 28, 2017 5:43 PM
0

Sign in to vote

So you want block all legacy clients and allow only modern auth from a specific AD group? Correct?
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

Monday, April 3, 2017 8:22 PM
0

Sign in to vote

Hi,

I want to block all access from a browser to Office 365 except for the specified group. This specific group should be able to access the Office Portal internally without MFA and externally with MFA.

Michael

Friday, April 7, 2017 7:24 AM