How-To's

ADFS Claims Rules Sample # 2 – Enforce Multifactor Authentication

The ADFS GUI allows for some rudimentary control of multifactor authentication (MFA).  This control centers around Device Trusted/Untrusted, Network Inside/Outside, and User Group Members.  But what if you wanted an exception group, or possibly only on the passive endpoint, not the active endpoint, of if you wanted to lock down MFA to only specific apps?  You can not do that through the GUI.  You need Powershell.

Multifactor authentication rules are set on the AdditionalAuthenticationRules parameter when running the command-let Get-AdfsRelyingPartyTrust.  In my previous post, I outlined how to control Office 365 via policies.  The same goes for here, where you can use any combination of claims rules to control the behavior of MFA.

Please note you do need the MFA provider configured on ADFS.  ADFS claims rules can not differentiate between providers if more than one is selected.

Step 1:  You need to focus these claims rules on a particular trust.  You can do it global as well, but for this example we are going to focus again on Office 365.  Run the command-let:

 Get-AdfsRelyingPartyTrust - Name "Microsoft Office 365 Identity Platform"

You will see that parameter –AdditionalAuthenticationRules  is empty.

Step 2:  Determine the claims you want to invoke MFA.  In this sample, I want to target the passive endpoints for all external users, that do not belong to a specific Active Directory group.  Remember that the AD group is via SID, not name.

exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) && exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value =~ "(/adfs/ls)|(/adfs/oauth2)"]) && Not exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "S-1-5-21-0000000000-000000000-0000000000-000000"]) => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");

Step 3:  Pulling it all together.  We want to insert this claim into  –AdditionalAuthenticationRules for Office 365.  To do this, run the following powershell:

$rp = Get-AdfsRelyingPartyTrust –Name "Microsoft Office 365 Identity Platform"
Set-AdfsRelyingPartyTrust –TargetRelyingParty $rp –AdditionalAuthenticationRules ‘exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) && exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value =~ "(/adfs/ls)|(/adfs/oauth2)"]) && Not exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "S-1-5-21-1338325200-504760778-2079600828-465239"]) => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");’

And there you go.  Now if you ever need to remove the rule, just blank it out:

$rp = Get-AdfsRelyingPartyTrust –Name "Microsoft Office 365 Identity Platform"
Set-AdfsRelyingPartyTrust –TargetRelyingParty $rp –AdditionalAuthenticationRules ‘’

That will remove the MFA authentication.

Advertisements

Categories: How-To's

Tagged as: , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s