續上回~
其實係網上講ADFS 嘅post 大多係接近一年以上嘅舊article。2017 後半嘅新post接近 “0” 。 係無頭絮下只可以用舊sample code 去砌claims rule 去試,
失敗例子如下
Sample1
NOT exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip”, Value =~ “\bXXX\.XXX\.XXX\.XXX\b”])&&
NOT exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application”, Value =~ “Microsoft.Exchange.ActiveSync|Microsoft.Exchange.AutoDiscover”])&&
NOT exists([Type == “http://schemas.microsoft.com/claims/authnmethodsreferences”, Value == “http://schemas.microsoft.com/claims/multipleauthn”])
=> issue(Type = “http://schemas.microsoft.com/authorization/claims/deny”, Value = “DenyUsersWithClaim”);
第一個諗到嘅做法係用有冇行MFA,基如Legacy Client嘅ActiveSync係唔會行MFA(係Part1 AAR 已經界定)。理論上係啱,但係……所有係Internal嘅user一樣唔需要MFA,結果係邊成Internal client亦唔會去login到任何Azure Services….
係試呢段Claims Rule 意外採集獲係,假若Client係用Modern Auth,如果Claim Rules 有用
“exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy”])”
係會變成 Always Permit
Sample2
Rule1
c:[Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip”, Value =~ “IP address range”]
=> issue(Type = “http://custom/allow”, Value = “true”);
Rule2
exists([Type == “http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid”, Value =~ “S-1-5-xx”])
=> issue(Type = “http://custom/allow”, Value = “true”);
Rule3
exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application”, Value =~ “Microsoft.Exchange.ActiveSync”])
=> issue(Type = “http://custom/deny”, Value = “true”);
Rule4
exists([Type == “https://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent”, value =~ “Outlook-iOS|Outlook-Android”])
=>issue(Type = “http://custom/deny”, Value = “true”);
Rule5
exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path”, Value =~ “/adfs/ls|/adfs/oauth2”])
=>issue(Type = “http://custom/deny”, Value = “true”);
Rule6
c:[Type == “http://custom/allow”, Value == “false”]
=> issue(Type = “http://schemas.microsoft.com/authorization/claims/deny”, Value = “true”);
Rule7
c:[Type == “http://custom/allow”, Value == “true”]
=> issue(Type = “http://schemas.microsoft.com/authorization/claims/permit”, Value = “true”);
呢個係非常極端嘅做法.,再無Default Permit All係最頂,純粹用AD Group去做Control。 Rule 3,Rule5 都係無效果
,再無Default Permit All係最頂,純粹用AD Group去做Control。 Rule3 都係對Modern Auth無效果,Rule5 亦無法試出預期嘅results。最終如果User係Exception Group(AD Group),就會用得到。
唯一試到係Rule4可以成功Restrict Outlook Mobile for Android/iOS
| Characteristic | String for iOS | String for Android |
|---|---|---|
| DeviceModel | Outlook for iOS and Android | Outlook for iOS and Android. |
| DeviceType | Outlook | Outlook |
| UserAgent | Outlook-iOS/2.0 | Outlook-Android/2.0 |
但係仍然無法簡單地只Restrict iOS Native Mail 去Exchange Online
Part3 Continue – 最後嘅做法
Reference
https://technet.microsoft.com/en-us/library/mt465747(v=exchg.150).aspx