Forum Discussion
ADFS Modern Authentication Claims Rules
I have ADFS 4 deployed and am attempting to create claims rules for O365 to accomplish the following:
- Allow intranet access
- Allow extranet access via Activesync only (No access to web apps or ability to download email to PCs)
Modern Authentication is enabled on tenant for Exchange Online and clients are using Outlook 2016.
I've setup access control policies like so:
Permit users
from internet network
and with Client Application claim equals to Microsoft.Exchange Activesync and Client Application claim equals to Microsoft.Exchange.Autodiscover in the request
Permit users
from intranet network
This appears to be working to block traffic for webapps and Outlook 2016, but also is blocking mobile access. I've tested mobile by configuring both Nine and the Outlook app, but I'm being blocked.
What am I doing wrong?
- Ah ha! I think I've got it figured out.
I set my permit users for internet to require the Client User Agent to match my devices. This seems to be working now, although regular expressions are a pain!
Can anyone confirm this is the best way to do this?
