cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

ADFS Modern Authentication Claims Rules

Chris Holdsworth
Copper Contributor

‎Jan 30 2017 11:40 AM - edited ‎Jan 30 2017 11:42 AM

‎Jan 30 2017 11:40 AM - edited ‎Jan 30 2017 11:42 AM

ADFS Modern Authentication Claims Rules

I have ADFS 4 deployed and am attempting to create claims rules for O365 to accomplish the following:

- Allow intranet access

- Allow extranet access via Activesync only (No access to web apps or ability to download email to PCs)

 

Modern Authentication is enabled on tenant for Exchange Online and clients are using Outlook 2016.

 

I've setup access control policies like so:

 

Permit users
   from internet network

   and with Client Application claim equals to Microsoft.Exchange Activesync and Client Application claim equals to Microsoft.Exchange.Autodiscover in the request

Permit users

   from intranet network

 

This appears to be working to block traffic for webapps and Outlook 2016, but also is blocking mobile access. I've tested mobile by configuring both Nine and the Outlook app, but I'm being blocked.

What am I doing wrong?

 

 

2,304 Views
1 Like
1 Reply
Reply
1 Reply
Chris Holdsworth

‎Jan 30 2017 12:53 PM

‎Jan 30 2017 12:53 PM

Re: ADFS Modern Authentication Claims Rules

Ah ha! I think I've got it figured out.

I set my permit users for internet to require the Client User Agent to match my devices. This seems to be working now, although regular expressions are a pain!

Can anyone confirm this is the best way to do this?
0 Likes
Reply