This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

ADFS 2016 Instantly Block Access from internet network without login prompt

Question
0

Sign in to vote
Hello community,

we got the demand to try to block the access to a relying party from internet network and allow the access to this relying party from intranet network if they are in some defined groups.

Now is it even possible to somehow configure the ADFS to block the access from the internet without displaying the standard login prompt to the user? I know how to technically configure the Access Control Polices, my only question would be if the ADFS design allows an instant block if the user comes from an external network without displaying anything (maybe an redirect after the blockage).

Would be great if someone quickly responds :)
- Edited by Ho2pe Wednesday, June 12, 2019 8:30 AM changed title
Wednesday, June 12, 2019 8:23 AM

Answers

0

Sign in to vote
If you don't have a WAP, you don't allow direct connection from the Internet. That would be one way.

If you want to bann specific IPs or network only, then you can use the following:

- https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-banned-ip

Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.
- Proposed as answer by Pierre Audonnet [MSFT]Microsoft employee Friday, June 14, 2019 12:44 PM
- Marked as answer by Pierre Audonnet [MSFT]Microsoft employee Friday, June 21, 2019 3:54 PM
Wednesday, June 12, 2019 4:58 PM

All replies

0

Sign in to vote

Forgot to mention that it is a SP Initiated Sign on

Wednesday, June 12, 2019 8:24 AM
0

Sign in to vote
If you don't have a WAP, you don't allow direct connection from the Internet. That would be one way.

If you want to bann specific IPs or network only, then you can use the following:

- https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-banned-ip

Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.
- Proposed as answer by Pierre Audonnet [MSFT]Microsoft employee Friday, June 14, 2019 12:44 PM
- Marked as answer by Pierre Audonnet [MSFT]Microsoft employee Friday, June 21, 2019 3:54 PM
Wednesday, June 12, 2019 4:58 PM