locked
ADFS 4.0 Access Control Policy Question RRS feed

  • Question

  • I had a question on setting up proper access for internal and external access of users to a relying party trust, and wanted to know the correct way to apply the rules.

    What I want to achieve is.. require the user to be in an AD security group AND require MFA when on the internet, but ONLY require the user to be in the AD group when on the internal network, and NOT require MFA.

    What would be the proper way to setup the Access Control Policy to ensure I can achieve this configuration?

    Wednesday, September 25, 2019 7:10 PM

All replies

  • I'm assuming that you've already got your ADFS 2016 or 2019 infrastructure in place (MFA provider installed, ADFS proxies configured, and split-brained DNS configured). From there its pretty straightforward.

    In the ADFS console, go to the Access Control Policies.

    • Create a new policy and give it a descriptive name.
    • Click "Add" then check "from specific groups"
    • Click the underlined "specific" then "Parameter specified when the policy is assigned". Click OK twice
    • Click "Add" then check "from specific networks", "from specific groups", and "and require multi-factor auth"
    • Click on the underlined "specific" in "from specific networks". Choose "Internet" and hit OK
    • Click on the underlined "specific" in "from specific groups" then choose "Parameter specified when the policy is assigned". Click OK three times
    • Find the relying party you want to restrict. Click "edit access control policy"
    • Select the access control policy that you just created. Click on the two links for "parameter" and then select the AD group you want to require membership from.

    You could slightly simplify by choosing the group when you create the policy, but by making it a templated policy you can reuse it for multiple RPs with different group requirements.

    Friday, September 27, 2019 2:22 PM
  • So based off your recommendation, it would look like this:

    Permit users

         from <parameter> groups

    Permit users

         from internet network

         and from <parameter> groups

         and require multi-factor authentication

    Does ADFS look at the first rule, and then the second sequentially? Or does ADFS look at all rules, and if you are coming from the internet (you meet the criteria), the second rule will take precedence?

    The way I configured it was:

    Permit users

         from <parameter> groups

         and require multi-factor authentication

    except

         from intranet network

    Permit users

         from <parameter> groups

    Would this configuration work the same way as your recommendation?

    Friday, September 27, 2019 7:19 PM
  • D'oh! While what I gave you should still work (because I believe that all rules are evaluated and the most specific matches), it's better to make the intention explicit by adding a "from intranet network" clause to the first rule. Notice that's how the built in "permit everyone and require MFA from the extranet" policy does it.

    I think yours would work as well, its just my personal preference is that saying "from internet" is slightly clearer than "except from intranet"

    Friday, September 27, 2019 9:49 PM