AD FS and banned IP addresses

AD FS on Windows Server 2016 introduced Banned IPs as part of the AD FS June 2018 update. This update enables you to configure a set of IP addresses globally in AD FS so that requests coming from those IP addresses are blocked. Requests that have IP addresses in the x-forwarded-for or x-ms-forwarded-client-ip headers are also blocked by AD FS.

Adding banned IPs

To add banned IPs to the global list, use the below PowerShell cmdlet:

PS C:\ >Set-AdfsProperties -AddBannedIps "1.2.3.4", "::3", "1.2.3.4/16"

Allowed formats are as follows:

  • IPv4
  • IPv6
  • CIDR format with IPv4 or v6

There's a limit of 300 entries for banned IP addresses. You can use CIDR or range format to deny a large block of entries with a single entry.

Removing banned IPs

To remove banned IPs from the global list, use the following PowerShell cmdlet:

PS C:\ >Set-AdfsProperties -RemoveBannedIps "1.2.3.4"

Reading banned IPs

To read the current set of banned IP addresses, use the following PowerShell cmdlet:

PS C:\ >Get-AdfsProperties

Example output:

BannedIpList                   : {1.2.3.4, ::3,1.2.3.4/16}

Best practices for securing Active Directory Federation Services

Set-AdfsProperties

AD FS Operations