ADFS Claim Rule Help - Office 365 (MFA) RRS feed

  • Question

  • Hi,

    we want to implement the following scenario for our ADFS infrastrucutre for Office 365 access. All rules should be only triggered on Browsers and no other protocols.

    • Generally nobody should have Browser-Based access to Office 365
    • there is one AD security group which should have internally direct browser based Access to O365 and when connecting from externally MFA should be triggered.

    I am not 100% sure how to solve that.

    Thanks in advance

    Monday, March 27, 2017 6:11 AM

All replies

  • Hi,

    I have figured out some rules but I am not 100 percent sure in which order I should apply them.

    I think this should be the correct order

    1. c:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "true"] && c1:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value =~ "(/adfs/ls)|(/adfs/oauth2)"] && c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-21-<SID>"] => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");
    2. c:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"] && c1:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value =~ "(/adfs/ls)|(/adfs/oauth2)"] && c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-21-<SID>"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");
    3. c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-21-<SID of Domain Users>"] => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny",Value = "DenyUsersWithClaim");

    Could anybody give me feedback if this should work?


    Tuesday, March 28, 2017 5:43 PM
  • So you want block all legacy clients and allow only modern auth from a specific AD group? Correct?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, April 3, 2017 8:22 PM
  • Hi,

    I want to block all access from a browser to Office 365 except for the specified group. This specific group should be able to access the Office Portal internally without MFA and externally with MFA.


    Friday, April 7, 2017 7:24 AM