New-AdfsAccessControlPolicy

Creates an AD FS access control policy.

Syntax

New-AdfsAccessControlPolicy
   -Name <String>
   [-SourceName <String>]
   [-Identifier <String>]
   [-Description <String>]
   [-PolicyMetadata <PolicyMetadata>]
   [-PolicyMetadataFile <String>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]

Description

The New-AdfsAccessControlPolicy cmdlet creates an Active Directory Federation Services (AD FS) access control policy from a policy metadata file.

How to create a federation metadata file

The federation metadata document is an XML file that is available for download. To retrieve your document, enter your federation service name, and then select the Get federation metadata button.

Examples

Example 1: Create a policy template from a policy metadata file

PS C:\> $t=New-AdfsAccessControlPolicy -Name "DemoOne" -PolicyMetadataFile "C:\filepath\ PolicyTemplateIntranetWithOneGroupParameterMFA.xml"

This command creates a policy template from a policy metadata file.

Example 2: Create a relying party using the policy template

PS C:\> Add-AdfsRelyingPartyTrust -Name "DemoRP1" -Identifier "https://DemoRP1" -AccessControlPolicyName DemoOne -AccessControlPolicyParameters "Administrators"

This command creates a relying party using the policy template.

Example 3: Change parameters

PS C:\> Set-AdfsRelyingPartyTrust -TargetName "DemoRP1" -AccessControlPolicyParameters ("Administrators","Users") -AccessControlPolicyName "DemoOne"

This command changes parameters for an access control policy.

Example 4: Un-assign a policy template

PS C:\> Set-AdfsRelyingPartyTrust -TargetName "DemoRP1" -AccessControlPolicyName $null

This command un-assigns a policy template.

Example 5: Create a policy template from an existing template

PS C:\> New-AdfsAccessControlPolicy -Name "DemoCopyOne" -SourceName "DemoOne"

This command creates a policy template from an existing template.

Example 6: Create a policy template from existing metadata

PS C:\> New-AdfsAccessControlPolicy -Name "DemoCopyTwo" -PolicyMetadata $t.PolicyMetadata

This command creates a policy template from existing metadata. The $t variable is an object from New-AccessControlPolicy.

Example 7: Create a policy template from a relying party result policy

PS C:\> New-AdfsAccessControlPolicy -Name "DemoCopyWithAssignment" -PolicyMetadata $r.ResultantPolicy

This command creates a policy template from a relying party result policy. The $r variable is the object returned from Get-AdfsRelyingPartyTrust.

Example 8: Change the relying party to use a new template

PS C:\> Set-AdfsRelyingPartyTrust -TargetName "DemoRP1" -AccessControlPolicyName "DemoTwo" -AccessControlPolicyParameters @{PermitGroup="Users";RejectGroup="Administrators"}

This command changes the relying party to use a new template.

Example 9: Complicated conditions with specific claims

PS C:\> Set-AdfsRelyingPartyTrust -TargetName "DemoRP1" -AccessControlPolicyName DemoRP -AccessControlPolicyParameters`
    @{"SPParameter"= @{ClaimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/OfficeLocation"; Operator="Equals"; Value="Redmond"}}

Example 10: Two specific claims for single parameter

PS C:\> Set-AdfsRelyingPartyTrust -TargetName "DemoRP1" -AccessControlPolicyName "DemoRP" -AccessControlPolicyParameters`
    @{"SPParameter"= (@{ClaimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/OfficeLocation"; Operator="Equals"; Value=("Redmond","DC")},`
                      @{ClaimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/Department"; Operator="Equals"; Value="Azure"})}

Parameters

-Confirm

Prompts you for confirmation before running the cmdlet.

Type:SwitchParameter
Aliases:cf
Position:Named
Default value:False
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Description

Specifies a description.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Identifier

Specifies an ID.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Name

Specifies a name.

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-PolicyMetadata

Specifies metadata for the policy.

Type:PolicyMetadata
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-PolicyMetadataFile

Specifies a file that contains metadata for the policy.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-SourceName

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type:SwitchParameter
Aliases:wi
Position:Named
Default value:False
Required:False
Accept pipeline input:False
Accept wildcard characters:False