Forum Discussion

Stephen Bell's avatar
Stephen Bell
Iron Contributor
Nov 15, 2016

ADFS Claims woes again!

A few weeks ago, I posted about an issue with a claims rule to restrict external OWA access unless user is in an AD group.  Now I am looking to do the same with Outlook/ mobile devices - only allow a...
Authentication
exchange
office 365
Stephen Bell's avatar
Stephen Bell
Iron Contributor
Nov 17, 2016

Thanks for this - it was an interesting read.  I have adjusted my rules and I feel like I am missing it in the other direction.  When I originally posted - I felt like people that should be getting blocked were allowed in.  Now I am in the reverse situation, everyone is blocked.

 

In my lab I am Office 2016 - Modern Authentication is NOT enabled.


Here is where I am at:

exists([Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"])
 && exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value == "/adfs/services/trust/2005/usernamemixed"])
 && exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value =~ "Microsoft.Exchange.ActiveSync|Microsoft.Exchange.AutoDiscover"])
 && NOT exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "S-1-5-21-2560775519-1142356162-513121369-2108"])
 => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");

if(insidecorporatenetwork = false and claim = active and application = (activesync OR autodiscover) and user not in allow_group) then deny.  Right?

The above seems to deny whether the user is in the allow group or not?!?  I believe I see all of the claims I want to see in my 500, 501 events in my security log?!?  

 

Am I missing something obvious??

 

EDIT:  Maybe I do have this and my testing has been invalid?  Today I decided to start from scratch and rebuild all of my outlook profiles for my 3 test users.  This is where I am confused.  I cannot add the account to an Outlook client even if the user is in the group to allow access.  However, I just re-enabled some 2 of the accounts on my phone (ios mail app) and the user that should have access is able to get in.  A user that should not, does not.  Is there something different going on with adding the profile to Outlook?  I also tried to do some testing using the exchange connectivity tester and saw desired results.  Would that be considered an accurate test?  Really hoping to nail this down as my O365 trial expires tomorrow. 

 

Thanks,

Steve

  • VasilMichev's avatar
    VasilMichev
    MVP
    Nov 17, 2016

    Try chaning "AutoDiscover" to "Autodiscover" as by default claims rules are case sensitive.

    • Stephen Bell's avatar
      Stephen Bell
      Iron Contributor
      Nov 18, 2016

      Thank you again!

       

      Now I am seeing a Microsoft.Exchange.Mapi in my log.  I haven't seen that yet.   Still not able to block anyone - but I will have to dig in to find out why this header is coming through.  I don't believe that I have seen this in any of the technet examples that I have read.

       

      -Steve