Hi @Pierre Audonnet - MSFT and thank you for replying , If you delete the MS365 RTP and use the Azure AD Connect to rebuild the RTP on ADFS, it places the older UI for "Issuance Authorization Rules" instead of the newer "Access Ui for Access Control Policy" is what I was talking about. I did this to make sure the Azure trust and ADFS was properly setup as a verification.
As for the rules, here is everything setup on the RTP. Everything is default setup that the Azure AD Connect built from the practice mentioned above. No rules were added beyond this.
Print out of request:
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Windows\system32> Get-AdfsRelyingPartyTrust -Identifier "urn:federation:MicrosoftOnline"
AllowedAuthenticationClassReferences : {}
EncryptionCertificateRevocationCheck : CheckChainExcludeRoot
PublishedThroughProxy : False
SigningCertificateRevocationCheck : CheckChainExcludeRoot
WSFedEndpoint : https://login.microsoftonline.com/login.srf
AdditionalWSFedEndpoint : {}
ClaimsProviderName : {}
ClaimsAccepted : {}
EncryptClaims : True
Enabled : True
EncryptionCertificate :
Identifier : {https://login.microsoftonline.com/extSTS.srf, urn:federation:MicrosoftOnline}
NotBeforeSkew : 0
EnableJWT : False
AlwaysRequireAuthentication : False
Notes :
OrganizationInfo :
ObjectIdentifier : 1fe839e0-204a-eb11-865e-0689e582178b
ProxyEndpointMappings : {}
ProxyTrustedEndpoints : {}
ProtocolProfile : WsFed-SAML
RequestSigningCertificate : {}
EncryptedNameIdRequired : False
SignedSamlRequestsRequired : False
SamlEndpoints : {}
SamlResponseSignature : AssertionOnly
SignatureAlgorithm : http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
TokenLifetime : 0
AllowedClientTypes : Public, Confidential
IssueOAuthRefreshTokensTo : AllDevices
RefreshTokenProtectionEnabled : True
RequestMFAFromClaimsProviders : False
ScopeGroupId :
ScopeGroupIdentifier :
DeviceAuthenticationMethod :
Name : Microsoft Office 365 Identity Platform Worldwide
AutoUpdateEnabled : False
MonitoringEnabled : True
MetadataUrl : https://nexus.microsoftonline-p.com/federationmetadata/2007-06/federationmetadat
a.xml
ConflictWithPublishedPolicy : False
IssuanceAuthorizationRules : @RuleTemplate = "AllowAllAuthzRule"
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit",
Value = "true");
IssuanceTransformRules : @RuleName = "Issue UPN"
c:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> issue(store = "Active Directory", types =
("http://schemas.xmlsoap.org/claims/UPN"), query =
"samAccountName={0};mail;{1}", param = regexreplace(c.Value,
"(?<domain>[^\\]+)\\(?<user>.+)", "${user}"), param = c.Value);
@RuleName = "Issue Immutable ID"
c:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> issue(store = "Active Directory", types =
("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), query =
"samAccountName={0};objectGUID;{1}", param = regexreplace(c.Value,
"(?<domain>[^\\]+)\\(?<user>.+)", "${user}"), param = c.Value);
@RuleName = "Issue nameidentifier"
c:[Type == "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"]
=> issue(Type =
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Value =
c.Value, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimpropert
ies/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");
@RuleName = "Issue accounttype for domain-joined computers"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
Value =~ "-515$", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"]
=> issue(Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", Value =
"DJ");
@RuleName = "Issue AccountType with the value USER when it is not a computer
account"
NOT EXISTS([Type == "http://schemas.microsoft.com/ws/2012/01/accounttype",
Value == "DJ"])
=> add(Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", Value =
"User");
@RuleName = "Issue issuerid when it is not a computer account"
c1:[Type == "http://schemas.xmlsoap.org/claims/UPN"]
&& c2:[Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", Value ==
"User"]
=> issue(Type =
"http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value =
regexreplace(c1.Value, "(?i)(^([^@]+)@)(partners\.)*(?<domain>((?<=partners\.)XXXX\.com|XXXX\.com))$", "http://${domain}/adfs/services/trust/"));
@RuleName = "Issue issuerid for DJ computer auth"
c1:[Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", Value ==
"DJ"]
=> issue(Type =
"http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value =
"http://XXXX.com/adfs/services/trust/");
@RuleName = "Issue onpremobjectguid for domain-joined computers"
c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
Value =~ "-515$", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"]
&& c2:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"]
=> issue(store = "Active Directory", types =
("http://schemas.microsoft.com/identity/claims/onpremobjectguid"), query =
";objectguid;{0}", param = c2.Value);
@RuleName = "Pass through primary SID"
c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
Value =~ "-515$", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"]
&& c2:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid", Issuer =~
"^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"]
=> issue(claim = c2);
@RuleName = "Pass through claim - insideCorporateNetwork"
c:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork"]
=> issue(claim = c);
@RuleName = "Pass Through Claim - Psso"
c:[Type == "http://schemas.microsoft.com/2014/03/psso"]
=> issue(claim = c);
@RuleName = "Issue Password Expiry Claims"
c1:[Type == "http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime"]
=> issue(store = "_PasswordExpiryStore", types =
("http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime",
"http://schemas.microsoft.com/ws/2012/01/passwordexpirationdays",
"http://schemas.microsoft.com/ws/2012/01/passwordchangeurl"), query = "{0};",
param = c1.Value);
@RuleName = "Pass Through Claim - AlternateLoginID"
c:[Type == "http://schemas.microsoft.com/ws/2013/11/alternateloginid"]
=> issue(claim = c);
@RuleName = "Pass through claim - authnmethodsreferences"
c:[Type == "http://schemas.microsoft.com/claims/authnmethodsreferences"]
=> issue(claim = c);
@RuleName = "Pass through claim - multifactorauthenticationinstant"
c:[Type == "http://schemas.microsoft.com/ws/2017/04/identity/claims/multifactora
uthenticationinstant"]
=> issue(claim = c);
@RuleName = "Pass through claim - certificate authentication - serial number"
c:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/serialnumber"]
=> issue(claim = c);
@RuleName = "Pass through claim - certificate authentication - issuer"
c:[Type ==
"http://schemas.microsoft.com/2012/12/certificatecontext/field/issuer"]
=> issue(claim = c);
DelegationAuthorizationRules :
LastPublishedPolicyCheckSuccessful : True
LastUpdateTime : 12/30/2020 12:15:48 AM
LastMonitoredTime : 1/4/2021 12:16:25 AM
ImpersonationAuthorizationRules :
AdditionalAuthenticationRules :
AccessControlPolicyName :
AccessControlPolicyParameters :
ResultantPolicy :
PS C:\Windows\system32>