Customizing ADFS Claims Rules for Office 365

Posted by Terence Kolstad on Nov 4, 2016 10:16:06 AM

I was recently working with a customer on ADFS claims rules and thought to share the experience of how to make some simple customizations within ADFS to lockdown authentication to Office 365 services, in this case. The requirement was that if the authentication connection came from an External IP not listed (any of their many remote locations), then block the connection UNLESS you are part of a specific AD group.


For this to work, I had to create 3 rules. Go into Relaying Party Trusts, right click the Office 365 Party Trust and select Edit Claim Rules.




Select Send Claims Using a Custom Rule and click Next.




For the first one, we are going to map out the External IPs to be in the allowed list. To see how to format the IP addresses, go here - Click Finish.


Here's the text to copy:

c1:[Type == "", Value =~ "^(?!123\.123\.123\.123)"]

&& c2:[Type == "", Value == "false"]

=> issue(Type = "http://custom/ipoutsiderange", Value = "true");



The next two Claims Rules are Custom as well. This rule is to check the AD group for membership.


Here's the text to copy:

NOT EXISTS([Type == "", Value == "S-1-5-21"])

=> add(Type = "http://custom/groupsid", Value = "fail");



The final one is putting the two rules together to block based on External IP and the AD group membership.


Here's the text to copy:

c1:[Type == "http://custom/ipoutsiderange", Value == "true"]

&& c2:[Type == "http://custom/groupsid", Value == "fail"]

=> issue(Type = "", Value = "DenyUsersWithClaim");



This is the final order of the claims rules.



This is what the user gets if they go to it from another IP:



Here's the article that explains how to edit the Claims Rules in ADFS (Note: there is an error in the syntax of the one that I had to use, but it serves as a reference)


As you can see, this customization opens many doors to making your implementation flexible and custom to the needs for the business.




Topics: Tech Article, Education

About this blog

Welcome to the Cyber Advisors Blog.  Please take a moment to read through our content.  If you would like more information on any of these topics, simply reach out to us via contact information below.  If you find our content valuable, please subscribe.  


Would you like to hear from us? Click Below!
Learn More

Subscribe Here!

Recent Posts

Posts by Tag

See all