ADFS access control rules to disable MFA for Office 365 application if usrs are connecting from intranet, Lync clients and enforce MFA for member of AD group:
$rp = Get-AdfsRelyingPartyTrust –Name "Microsoft Office 365
Identity Platform"
$groupMfaClaimTriggerRule = 'NOT EXISTS([Type ==
"http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent",
Value =~ "(?i)skype"]) && NOT
EXISTS([Type=="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent",
Value =~ "(?i)ACOMO"]) && NOT
EXISTS([Type=="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent",
Value =~ "(?i)lync"]) => add(type =
"http://schemas.company.com/not_lync", value = "true" );
c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
Value == "S-1-5-21-796845957-688789844-854245398-6148"] && c2:[Type
=="http://schemas.company.com/not_lync", Value== "true"]
&& c3:[Type
=="http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork",
Value== "false"]=> issue(Type =
"http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod",
Value = "http://schemas.microsoft.com/claims/multipleauthn");'
Set-AdfsRelyingPartyTrust –TargetRelyingParty $rp
–AdditionalAuthenticationRules $groupMfaClaimTriggerRule
We use this rule to let Lync on Premises users to use Exchange online
No comments:
Post a Comment