Access control policy to only allow access to users on the intranet or from Intune managed mobile devices RRS feed

  • Question

  • Hey guys, I have ADFS 2016 in place and federated with Office 365.

    Everything currently works, however it's wide open to everyone. What I need to do is restrict access to only allow users that are on the local network or are using a mobile device managed by Intune.

    I've had a look at the access control policies in ADFS but I need some help as I'm not quite sure what settings to use.

    I can create a rule using the "from specific network" and that gives me the option to select Intranet, Internet or specify IP ranges.

    How does it know when the request comes from the "Intranet"?

    I also see an option to select "from devices with specific trust level". That lets me choose from 3 options;

    Authenticated, Managed or Compliant

    Not sure what they all refer to, but could I use "Managed" as a way to allow mobile devices managed by Intune to get access? If you could explain what these options do would be great too.

    In short, if I create the following policy would it meet my requirements:
    Permit Users from Intranet network
    Permit users from devices with managed trust level

    • Edited by amary96 Tuesday, August 8, 2017 7:38 AM
    Tuesday, August 8, 2017 7:14 AM

All replies

  • It's a small world. I've just started looking at this too. I'm in the same boat, although I'm using MaaS360 for my MDM option. 

    With devices with a specific trust level, if we can use some kind of certificate generation through NDES and Radius, that would work beautifully. 

    I can't help as such, but I'm keen to see how you get on with this one. 

    Tuesday, August 8, 2017 9:30 AM
  • Intranet means that the device's traffic did NOT come through the web application proxy for adfs. It means it hit the ADFS server directly. That way you don't have to define IP addresses. Requests from outside your network should hit the ADFS web application proxy if you have one setup. Internal users should be hitting the ADFS server(s) directly.

    As for your other questions, I don't know, I came here with the same questions about exactly what "from devices with specific trust level" means

    Wednesday, July 17, 2019 1:11 PM