Events
Apr 29, 2 PM - Apr 30, 7 PM
Join the ultimate Windows Server virtual event April 29-30 for deep-dive technical sessions and live Q&A with Microsoft engineers.
Sign up nowAD FS and banned IP addresses
AD FS on Windows Server 2016 introduced Banned IPs as part of the AD FS June 2018 update. This update enables you to configure a set of IP addresses globally in AD FS so that requests coming from those IP addresses are blocked. Requests that have IP addresses in the x-forwarded-for or x-ms-forwarded-client-ip headers are also blocked by AD FS.
To add banned IPs to the global list, use the below PowerShell cmdlet:
PowerShell
PS C:\ >Set-AdfsProperties -AddBannedIps "1.2.3.4", "::3", "1.2.3.4/16"
Allowed formats are as follows:
- IPv4
- IPv6
- CIDR format with IPv4 or v6
There's a limit of 300 entries for banned IP addresses. You can use CIDR or range format to deny a large block of entries with a single entry.
To remove banned IPs from the global list, use the following PowerShell cmdlet:
PowerShell
PS C:\ >Set-AdfsProperties -RemoveBannedIps "1.2.3.4"
To read the current set of banned IP addresses, use the following PowerShell cmdlet:
PowerShell
PS C:\ >Get-AdfsProperties
Example output:
BannedIpList : {1.2.3.4, ::3,1.2.3.4/16}
Best practices for securing Active Directory Federation Services
Additional resources
Training