Home

ADFS Modern Authentication Claims Rules

%3CLINGO-SUB%20id%3D%22lingo-sub-42464%22%20slang%3D%22en-US%22%3EADFS%20Modern%20Authentication%20Claims%20Rules%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-42464%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20ADFS%204%20deployed%20and%20am%20attempting%20to%20create%20claims%20rules%20for%20O365%20to%20accomplish%20the%20following%3A%3C%2FP%3E%3CP%3E-%20Allow%20intranet%20access%3C%2FP%3E%3CP%3E-%20Allow%20extranet%20access%20via%20Activesync%20only%20(No%20access%20to%20web%20apps%20or%20ability%20to%20download%20email%20to%20PCs)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EModern%20Authentication%20is%20enabled%20on%20tenant%20for%20Exchange%20Online%20and%20clients%20are%20using%20Outlook%202016.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20setup%20access%20control%20policies%20like%20so%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPermit%20users%3CBR%20%2F%3E%26nbsp%3B%20%26nbsp%3Bfrom%20internet%20network%3C%2FP%3E%3CP%3E%26nbsp%3B%20%26nbsp%3Band%20with%20Client%20Application%20claim%20equals%20to%20Microsoft.Exchange%20Activesync%20and%20Client%20Application%20claim%20equals%20to%20Microsoft.Exchange.Autodiscover%20in%20the%20request%3CBR%20%2F%3E%3CBR%20%2F%3EPermit%20users%3C%2FP%3E%3CP%3E%26nbsp%3B%20%26nbsp%3Bfrom%20intranet%20network%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20appears%20to%20be%20working%20to%20block%20traffic%20for%20webapps%20and%20Outlook%202016%2C%20but%20also%20is%20blocking%20mobile%20access.%20I've%20tested%20mobile%20by%20configuring%20both%20Nine%20and%20the%20Outlook%20app%2C%20but%20I'm%20being%20blocked.%3CBR%20%2F%3E%3CBR%20%2F%3EWhat%20am%20I%20doing%20wrong%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-42464%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-42482%22%20slang%3D%22en-US%22%3ERe%3A%20ADFS%20Modern%20Authentication%20Claims%20Rules%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-42482%22%20slang%3D%22en-US%22%3EAh%20ha!%20I%20think%20I've%20got%20it%20figured%20out.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20set%20my%20permit%20users%20for%20internet%20to%20require%20the%20Client%20User%20Agent%20to%20match%20my%20devices.%20This%20seems%20to%20be%20working%20now%2C%20although%20regular%20expressions%20are%20a%20pain!%3CBR%20%2F%3E%3CBR%20%2F%3ECan%20anyone%20confirm%20this%20is%20the%20best%20way%20to%20do%20this%3F%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E
Highlighted
Chris Holdsworth
New Contributor

I have ADFS 4 deployed and am attempting to create claims rules for O365 to accomplish the following:

- Allow intranet access

- Allow extranet access via Activesync only (No access to web apps or ability to download email to PCs)

 

Modern Authentication is enabled on tenant for Exchange Online and clients are using Outlook 2016.

 

I've setup access control policies like so:

 

Permit users
   from internet network

   and with Client Application claim equals to Microsoft.Exchange Activesync and Client Application claim equals to Microsoft.Exchange.Autodiscover in the request

Permit users

   from intranet network

 

This appears to be working to block traffic for webapps and Outlook 2016, but also is blocking mobile access. I've tested mobile by configuring both Nine and the Outlook app, but I'm being blocked.

What am I doing wrong?

 

 

1 Reply
Ah ha! I think I've got it figured out.

I set my permit users for internet to require the Client User Agent to match my devices. This seems to be working now, although regular expressions are a pain!

Can anyone confirm this is the best way to do this?
Related Conversations