How-To's

ADFS Claims Rules Sample # 1 – Office 365

Microsoft has a nice tutorial on understanding and implementing claims rules for the Office 365 platform, however if you set the default rule to deny all (by removing the Permit All claims rule), there are a few additional rules that need to be configured based on what you are trying to do.  Please note that as conditional access policies mature, some of these rules can instead be accomplished in Azure AD.

Sample Rules for Office 365.

Permit OWA and other Passive Claim Access

This rule allows all passive claims (anything accessing the /adfs/ls URL) to ADFS.

exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value =~ "(/adfs/ls)|(/adfs/oauth2)"])
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");

 

Permit Active Sync

Users accessing the active endpoint of ADFS with the client names of Auto Discover or ActiveSync are allowed to authenticate.

exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value == "/adfs/services/trust/2005/usernamemixed"])
&& exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value =~ "Microsoft.Exchange.ActiveSync|Microsoft.Exchange.Autodiscover"])
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");

 

Permit Outlook (No Modern Authentication).

This rule is for legacy access of the Outlook client.  It connects to the active endpoint of ADFS, and access can be restricted based on client IP range (public address).  In this example, there is a reference to a single external IP address, as well as a reference to a /24 Class C address range.

exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value == "/adfs/services/trust/2005/usernamemixed"])
&& NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value =~ "Microsoft.Exchange.ActiveSync|Microsoft.Exchange.Autodiscover"])
&& exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip", Value =~ "\b192\.168\.1\.1\b||\b192\.168\.10\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\b"])
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");

 

Additional Rules that you may require.

By limiting access to the endpoints of ADFS, you will inadvertently break access to other Office 365 applications.  Here are three that I have come across in my testing.

Allow the Office Suite, as well as SharePoint Designer

This rule will allow connections from Word, Excel, etc. to connect to Office 365

exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value =~ "/adfs/services/trust/2005/usernamemixed|/adfs/services/trust/2005/windowstransport"])
&& exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent", Value =~ "SPDESIGN.EXE|VISIO.EXE|EXCEL.EXE|WINWORD.EXE|POWERPNT.EXE|ONENOTE.EXE|LYNC.EXE"])
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");

Allow Azure AD Join

This rule will reinstate the ability for Azure AD join of Windows 10 devices.

exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value == "/adfs/services/trust/13/usernamemixed"])
&& exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent", Value =~ "Windows-AzureAD-Authentication-Provider"])
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");

 

Catch all rule for the Active Endpoint

This rule will allow all access to the active endpoint of ADFS.  This will allow PowerShell access to the Office 365 tenant.  In this sample, I am locking down this access based on group membership (SID value of the group).

exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value =~ "/adfs/services/trust/2005/usernamemixed|/adfs/services/trust/2005/windowstransport"])
&& exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "S-1-5-21-1000000000-500000000-2000000000-540000"])
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");
Advertisements

Categories: How-To's

Tagged as: , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s