Exclude Skype for Business from Office 365 ADFS restriction claim RRS feed

  • Question

  • In an ADFS 3.0 scenario with Office365, I set an adfs rule that allows outlook access to Office365, only from certain public ip addresses. From version Skype For Business up to 16.0.4498.1000, The application is affected by this strange problem: When the user of the organization use skype4b out of the addresses defined in the ADFS rules, the user logs on the application, goes online (so skype is usable), but a annoying pop-up appears continuously asking for credentials. By analyzing in detail, Skype also tries to use Mapi for the calendar, which is clearly blocked by the rule defined below. How can I do to improve the current rule in production by inserting a condition that implicitly allows skype4b ?

    Exists ([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"])  && exists ([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value == "Microsoft.Exchange.SMTP | Microsoft.Exchange.Pop | Microsoft.Exchange.Imap | Microsoft.Exchange.PopImap | Microsoft.Exchange.Mapi | Microsoft.Exchange.RPC | Microsoft.Exchange.Nspi | Microsoft.Exchange.OfflineAddressBook "])  && NOT exists ([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip", Value = ~ "LIST IP ALLOW"])  => Issue (Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");


    Monday, May 15, 2017 5:48 PM

All replies

  • Hello,

    From your description, I notice that this issue is more related to ADFS server with Office 365, however this forum is more focus on Skype for Business server. Thus, I highly recommend to contact ADFS forum for further assistance.

    For your convenience:

    Best Regards,

    Allen Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, May 24, 2017 1:04 PM