Edit

Share via

New-AdfsAccessControlPolicy

  • Reference
Module:
ADFS

Creates an AD FS access control policy.

Syntax

PowerShell 
New-AdfsAccessControlPolicy
   -Name <String>
   [-SourceName <String>]
   [-Identifier <String>]
   [-Description <String>]
   [-PolicyMetadata <PolicyMetadata>]
   [-PolicyMetadataFile <String>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]

Description

The New-AdfsAccessControlPolicy cmdlet creates an Active Directory Federation Services (AD FS) access control policy from a policy metadata file.

How to create a federation metadata file

The federation metadata document is an XML file that is available for download. To retrieve your document, enter your federation service name, and then select the Get federation metadata button.

Examples

Example 1: Create a policy template from a policy metadata file

PowerShell 
PS C:\> $t=New-AdfsAccessControlPolicy -Name "DemoOne" -PolicyMetadataFile "C:\filepath\ PolicyTemplateIntranetWithOneGroupParameterMFA.xml"

This command creates a policy template from a policy metadata file.

Example 2: Create a relying party using the policy template

PowerShell 
PS C:\> Add-AdfsRelyingPartyTrust -Name "DemoRP1" -Identifier "https://DemoRP1" -AccessControlPolicyName DemoOne -AccessControlPolicyParameters "Administrators"

This command creates a relying party using the policy template.

Example 3: Change parameters

PowerShell 
PS C:\> Set-AdfsRelyingPartyTrust -TargetName "DemoRP1" -AccessControlPolicyParameters ("Administrators","Users") -AccessControlPolicyName "DemoOne"

This command changes parameters for an access control policy.

Example 4: Un-assign a policy template

PowerShell 
PS C:\> Set-AdfsRelyingPartyTrust -TargetName "DemoRP1" -AccessControlPolicyName $null

This command un-assigns a policy template.

Example 5: Create a policy template from an existing template

PowerShell 
PS C:\> New-AdfsAccessControlPolicy -Name "DemoCopyOne" -SourceName "DemoOne"

This command creates a policy template from an existing template.

Example 6: Create a policy template from existing metadata

PowerShell 
PS C:\> New-AdfsAccessControlPolicy -Name "DemoCopyTwo" -PolicyMetadata $t.PolicyMetadata

This command creates a policy template from existing metadata. The $t variable is an object from New-AccessControlPolicy.

Example 7: Create a policy template from a relying party result policy

PowerShell 
PS C:\> New-AdfsAccessControlPolicy -Name "DemoCopyWithAssignment" -PolicyMetadata $r.ResultantPolicy

This command creates a policy template from a relying party result policy. The $r variable is the object returned from Get-AdfsRelyingPartyTrust.

Example 8: Change the relying party to use a new template

PowerShell 
PS C:\> Set-AdfsRelyingPartyTrust -TargetName "DemoRP1" -AccessControlPolicyName "DemoTwo" -AccessControlPolicyParameters @{PermitGroup="Users";RejectGroup="Administrators"}

This command changes the relying party to use a new template.

Example 9: Complicated conditions with specific claims

PowerShell 
PS C:\> Set-AdfsRelyingPartyTrust -TargetName "DemoRP1" -AccessControlPolicyName DemoRP -AccessControlPolicyParameters`
    @{"SPParameter"= @{ClaimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/OfficeLocation"; Operator="Equals"; Value="Redmond"}}

Example 10: Two specific claims for single parameter

PowerShell 
PS C:\> Set-AdfsRelyingPartyTrust -TargetName "DemoRP1" -AccessControlPolicyName "DemoRP" -AccessControlPolicyParameters`
    @{"SPParameter"= (@{ClaimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/OfficeLocation"; Operator="Equals"; Value=("Redmond","DC")},`
                      @{ClaimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/Department"; Operator="Equals"; Value="Azure"})}

Parameters

-Confirm

Prompts you for confirmation before running the cmdlet.

Type:SwitchParameter
Aliases:cf
Position:Named
Default value:False
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Description

Specifies a description.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Identifier

Specifies an ID.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Name

Specifies a name.

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-PolicyMetadata

Specifies metadata for the policy.

Type:PolicyMetadata
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-PolicyMetadataFile

Specifies a file that contains metadata for the policy.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-SourceName

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type:SwitchParameter
Aliases:wi
Position:Named
Default value:False
Required:False
Accept pipeline input:False
Accept wildcard characters:False