Customizing ADFS Claims Rules for Office 365
Terence Kolstad 11/04/2016
1 Minutes

I was recently working with a customer on ADFS claims rules and thought to share the experience of how to make some simple customizations within ADFS to lockdown authentication to Office 365 services, in this case. The requirement was that if the authentication connection came from an External IP not listed (any of their many remote locations), then block the connection UNLESS you are part of a specific AD group.


For this to work, I had to create 3 rules. Go into Relaying Party Trusts, right click the Office 365 Party Trust and select Edit Claim Rules.




Select Send Claims Using a Custom Rule and click Next.




For the first one, we are going to map out the External IPs to be in the allowed list. To see how to format the IP addresses, go here - Click Finish.


Here's the text to copy:

c1:[Type == "", Value =~ "^(?!123\.123\.123\.123)"]

&& c2:[Type == "", Value == "false"]

=> issue(Type = "http://custom/ipoutsiderange", Value = "true");



The next two Claims Rules are Custom as well. This rule is to check the AD group for membership.


Here's the text to copy:

NOT EXISTS([Type == "", Value == "S-1-5-21"])

=> add(Type = "http://custom/groupsid", Value = "fail");



The final one is putting the two rules together to block based on External IP and the AD group membership.


Here's the text to copy:

c1:[Type == "http://custom/ipoutsiderange", Value == "true"]

&& c2:[Type == "http://custom/groupsid", Value == "fail"]

=> issue(Type = "", Value = "DenyUsersWithClaim");



This is the final order of the claims rules.



This is what the user gets if they go to it from another IP:



Here's the article that explains how to edit the Claims Rules in ADFS (Note: there is an error in the syntax of the one that I had to use, but it serves as a reference)


As you can see, this customization opens many doors to making your implementation flexible and custom to the needs for the business.




Related Posts

It is a long established fact that a reader will be distracted by the readable content of a page when looking at its layout.

Cole Goebel 26 March, 2024

Why Your Cybersecurity's Biggest Risk Likes Coffee Breaks: The Human Element

Discover how the human element can be the biggest threat to cybersecurity and how tools like…

Matt Kanaskie 16 January, 2024

Minnesota’s Whole of State Cyber Security Plan

The state of Minnesota has delivered, alongside some bitter cold, a new initiative aimed at helping…