Skip to content

General ADFS Config

Special configuration for ADFS.

Access Control policies with Powershell

Get the Access Control Policy settings. These can't be exported to a file for later import.

Get-AdfsAccessControlPolicy -Name "Network dependent mfa policy"

Get the Access Control Policy settings with XML policyMetadata. This can be saved to file.

(Get-AdfsAccessControlPolicy -Name "Network dependent mfa policy").PolicyMetadata | fl *

Important

When compying PolicyMetadata to c:\Filename.xml <?xml version="1.0" encoding="UTF-8"?> needs to be added to the top row.

Policy XML File

The following policy has two rules.

  • Rule 1
    • Member of group with sid S-1-5-21-2403268988-2362025418-4073813711-1104
    • Location where the request is coming from is 10.0.1.0/24 or 172.16.0.0/16
  • Rule 2
    • Member of group with sid S-1-5-21-2403268988-2362025418-4073813711-1104
    • Location where the request is coming from is extranet
    • Require Multifactor authentication.

If the user is in 172.16.0.0/16 but his webclient goes to external WAP IP. The users source IP will be an external one instead of internal. Hence Rule 2 will apply. For Rule 1 to apply. The user needs to go to the internal WAP och ADFS Server IP directly.

<?xml version="1.0" encoding="UTF-8"?>
    <PolicyMetadata xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.datacontract.org/2012/04/ADFS">
        <RequireFreshAuthentication>false</RequireFreshAuthentication>
        <IssuanceAuthorizationRules>
            <Rule>
            <Conditions>
                <Condition i:type="LocationCondition">
                <Operator>Equals</Operator>
                <Values>
                    <Value>10.0.1.0/24</Value>
                    <Value>172.16.0.0/16</Value>
                </Values>
                </Condition>
                <Condition i:type="GroupMembershipCondition">
                <Operator>Equals</Operator>
                <Values>
                    <Value>S-1-5-21-2403268988-2362025418-4073813711-1104</Value>
                </Values>
                </Condition>
            </Conditions>
            </Rule>
            <Rule>
            <Conditions>
                <Condition i:type="LocationCondition">
                <Operator>Equals</Operator>
                <Values>
                    <Value>extranet</Value>
                </Values>
                </Condition>
                <Condition i:type="GroupMembershipCondition">
                <Operator>Equals</Operator>
                <Values>
                    <Value>S-1-5-21-2403268988-2362025418-4073813711-1104</Value>
                </Values>
                </Condition>
                <Condition i:type="MultiFactorAuthenticationCondition">
                <Operator>IsPresent</Operator>
                <Values />
                </Condition>
            </Conditions>
            </Rule>
        </IssuanceAuthorizationRules>
    </PolicyMetadata>

import policy

New-AdfsAccessControlPolicy -Name "MyTestPolicy" -PolicyMetadataFile c:\Filename.xml