ADFS Claim Rules

Dogukan Tolga Sen 1 Reputation point
2021-07-29T06:05:48.17+00:00

Hello folks! We have a bit of situation. I will try to sum it up. We have a mdm server, and our staff wants our adfs to block other traffics if the request comes through active sync protocol. I have written these rules below, but whenever i activate them and restart adfs service, some random users getting asked their passwords again and again on Outlook client (the small window where outlook asks for your username and password).

c1:[Type == "https://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip", Value =~ "\b100\.100\.100\.100\b"]

=> issue(Type = "http://custom/mdm", Value = "true");

This rule defines the server i was talking about, which has the 100.100.100.100 ip let's say.

c1:[Type == "http://custom/mdm", Value != "true"] 

&& c2:[Type == "https://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value =~ "Microsoft.Exchange.ActiveSync"]

=> issue(Type = "https://schemas.microsoft.com/authorization/claims/deny", Value = "DenyUsersWithClaim");

Second rule is, if the traffic is not coming from 100.100.100.100 AND protocol is active sync, block the connection. I am not sure about this one.

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5....", Issuer =~ "^AD AUTHORITY$"]

=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");

We also have a exception active directory group, this one works well, no problems.

c:[]
=> issue(Type = "https://schemas.microsoft.com/authorization/claims/permit", Value = "true");

And lastly permit all other connections rule. I have tried this one with c:[] and without c:[]. I am not sure if i should put it there.
Any ideas? What could be the reason of these Outlook password behaviours?

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,259 questions
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.