Issuance Authorization rules for Office 365 with Modern Authentication RRS feed

  • Question

  • Using Issuance Authorization rules, I am looking to restrict Extranet access to Office 365 for users that are not a member of a domain group. The restriction would be for anything except Web-based applications and ActiveSync (in other words, Outlook desktop client, POP, IMAP, etc. would not be allowed).

    First off, I have already followed this guide https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/access-control-policies-w2k12. I do not believe it works for me because my O365 tenant is configured for Modern Authentication. The only rule I can get to work is restrict Extranet access to All Office 365 if not member of domain group.

    My question is that if the O365 tenant is configured for Modern Authentication, is it true that is impossible to restrict access by application because, regardless of the application, the x-ms-client-application claim will always be blank and the x-ms-endpoint-absolute-path will always be /adfs/ls/? Sign-on appears the same as signing in from a web browser.

    Is the only solution to disable Modern Authentication so that x-ms-client-application is filled or use Intune (which I do not have)?

    Tuesday, June 5, 2018 5:29 PM

All replies

  • Additional notes...

    I see that AzureAD Premium Conditional Access policies supposedly can be used with Modern Authentication. What does that do different than ADFS authorization claims? We do not subscribe to AzureAD Premium and I don't think there would be justification in doing so for this feature.

    Also I found this document that talks about this very issue with Modern Authentication and suggest that you do not onboard your tenant to Modern Authentication if you plan on using Issuance Authorization claims for access. The document is a bit dated though. By the time we got Office 365, Office 2016 was out and our tenant was already enabled for Modern Authentication as default.

    • Edited by Brandon.M Wednesday, June 6, 2018 1:49 PM
    Wednesday, June 6, 2018 1:46 PM
  • I performed some additional testing. I verified that with the "allow extranet access to web-based applications" issuance authorization rule in place (which also means allow all Modern Authentication clients), authentication no longer worked from the native mail app on my iPhone and a colleague's Android. I turned on ADFS Trace logging and found that the x-ms-client-application claim was receiving a value of Microsoft.Exchange.ActiveSync during those sessions. Another colleague's iPhone was still able to authenticate, which means it must be using Modern Authentication. I read that Modern Authentication support was added to the native mail app in iOS 11. Possibly my iPhone is still using Basic Authentication as I set the account up prior to upgrading to iOS 11.

    I still would really like to know how the AzureAD Conditional Access is able to work with Modern Authentication applications. It is kind of BS that app-specific conditional access was possible with ADFS rules prior to Modern Authentication and now it is not. It is like Microsoft expect you to spend more money for a service feature that was once available with ADFS, but then they took it away and put it in AzureAD Premium. Maybe I should open a support call and ask them why this official support document will never work unless you disable Modern Authentication on the tenant to ensure client applications can only use Basic Authentication. I would not be surprised if they don't even "fully support" disabling Modern Authentication on the tenant.

    • Edited by Brandon.M Monday, June 11, 2018 3:44 PM
    Monday, June 11, 2018 3:41 PM
  • Just an update...

    I enrolled in the Azure AD Premium trial and tested Conditional Access Policies. It supports Modern Authentication clients, but offers nothing really different than what can be done with ADFS claims. Azure AD can only block all Modern Authentication clients, not specific ones. There is a special “approved applications” option than you can allow acces to, which is basically every application/service in the Office 365 suite, but that does not help me because it’s all or nothing. My goal is to only block extranet access from Outlook Pro, which is a Modern Authentication client. Unfortunately that blocks new ActiveSync mail clients and web browsers. I started a new thread on this particular topic in the Exchange Online forum. Feel free to read what I tested and the results. https://social.technet.microsoft.com/Forums/en-US/549d22b7-6656-4f1b-9f4d-821970ab20f0/azure-ad-conditional-access-policy-to-block-outlook-professional-from-extranet?forum=onlineservicesexchange
    Thursday, June 14, 2018 11:23 PM