locked
Multi-Factor authentication policy RRS feed

  • Question

  • We’re currently using claim rules for MFA users, basically these rules check for: 1) Request is not coming from inside corporate network, 2) request is passive and 3) user is a member of the access group. If all three conditions are true, perform MFA.

    Rules:

    c:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"] &&
    c1:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value =~ "(/adfs/ls)|(/adfs/oauth2)"]&&
    c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "group SID value of allowed AD group"]
    => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");

    Is it possible to replace these rules with Authorization Rule set and to accomplish the same result?  My concern is that Authorization Rules are used for Deny or grant authorization and not for direct user to perform MFA.

    1. Request is coming from the proxy  (similar to insidecorporatenetwork = False)
    2. Request is passive
    3. User is a member of an AD access group
    4. If all these conditions are true, perform MFA.

    exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy“]) &&
    exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path“, Value =~ "(/adfs/ls)|(/adfs/oauth2)"]) &&
    exists([Type == “http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid”, Value =~ “Group SID value of allowed AD group”])
    => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");

    Thanks,

    Monday, October 10, 2016 10:59 PM

Answers

  • The authorization rules have two possible outcomes. The user has a permit claim or it doesn't. If it doesn't then we don't process the Issuance Transformation Rules.

    Is there something not working as you'd like currently?


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, October 11, 2016 10:03 AM

All replies

  • The authorization rules have two possible outcomes. The user has a permit claim or it doesn't. If it doesn't then we don't process the Issuance Transformation Rules.

    Is there something not working as you'd like currently?


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, October 11, 2016 10:03 AM
  • Any updates?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Sunday, October 16, 2016 11:03 PM