다음을 통해 공유

Office 365 and ADFS 2016 Access Control Policy for Multi factor Authentication :

  • 아티클

Finally getting to implement a few ADFS 2016 environments, for a particular customer they wanted to implement Multi-Factor Authentication with their Office 365 Relying Party Trust. They had the following requirements:

  • All user on the corporate network should not be prompted for 2FA
  • Only users that are members of a particular Active Directory Group should require 2FA
    • These users should only be required to use 2FA when accessing from a browser (i.e. OWA, SharePoint, Admin Portal)

I’ve done this in the past using the following advanced claims rule:

exists([Type == “http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork”, Value == “false”])

&& exists([Type == “http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid”, Value =~ “S-1-5-21-############-########-########-######”])

&& NOT exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application”, Value == “Microsoft.Exchange.Autodiscover”])

&& NOT exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application”, Value == “Microsoft.Exchange.ActiveSync”])

&& NOT exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application”, Value == “Microsoft.Exchange.RPC”])

&& NOT exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application”, Value == “Microsoft.Exchange.WebServices”])

&& NOT exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path”, Value == “/adfs/services/trust/2005/usernamemixed”])

=> issue(Type = “http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod”, Value = “http://schemas.microsoft.com/claims/multipleauthn”);

This worked for many of my customers who did Exchange online only deployments, other modifications were needed for other scenarios as well. But since this is a 2016 deployment I wanted to use the new Access Control Policies. At first I tried using the same logic but it failed miserably, finally after a while of tinkering with it and no real world examples out on the internet anywhere I was able to figure it out. I finally came up with the following Access Control Policy:

Permit everyone

except

from ‘contoso\ADFS Require MFA’ group;

Permit users

from ‘intranet’ location

and from ‘contoso\ADFS Require MFA’ group;

Permit users

from ‘extranet’ location

and from ‘contoso\ADFS Require MFA’ group

except

with ‘http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path’ claim contains ‘/adfs/ls’ in the request;

Permit users

from ‘extranet’ location

and from ‘contoso\ADFS Require MFA’ group

and with ‘http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path’ claim contains ‘/adfs/ls’ in the request

and when authentication includes MFA

This is what finally ended up working like a charm, now when accessing Office 365 services via a browser outside the network they get prompted for 2FA if they are a member of the group.