ADFS with Office 365 & Custom Claim Rule - HELP

PREFACE - My organization is looking at moving to Office 365 Exchange Online - we currently use an in-house, non-exchange mail server.  One of the issues we need to solve with this is the ability to restrict access to (hourly) employees, so that they can only access their email from our corporate office.  While other employees (salary) may have the option to access their email remotely from home or on a mobile device.  After doing some reading, I see this is possible with ADFS.

Fast forward, I have ADFS up and running in a lab environment, with an Office 365 trial going, a 30 day SSL cert, and I have the federation working as expected.  I am running into issues creating the custom claim rule to restrict access and I am hoping someone can shed some light.

Ultimately, I would like to block access to any Office 365 service that does not originate from our corporate headquarters, unless the user is a member of a specific AD security group.  That being said, I figured I would start with blocking anything that is not originating from our corporate network.  Among other things, I have taken a look at the following technet article:  https://technet.microsoft.com/en-us/library/Hh526961%28v=WS.10%29.aspx?f=255&MSPPError=-2147217396.  

Currently, I have a custom rule that looks like this:  

&& NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip", Value =~ "\b123\.456\.78\.9\b"])
 => issue(Type = "http://schema.microsoft.com/authorization/claims/deny", Value = "true");

exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"])

** where 123.456.78.9 is the public, external facing IP address of my corporate HQ.  If I am interpreting this rule correctly, it is saying:

if (authenticating via proxy AND NOT client IP of 123.456.78.9) --> deny claim

However, I connect to an external network with a machine that is joined to this domain - and I am able to connect using outlook, I am able to login to outlook.com/mycompany.com, and I am able to login to portal.office.com.  Why is this?  I don't even really know where to look.  

I have played around with the IP address in the rule - I have seen varying posts that actually include the internal IP address, so I had a regular expression including our class B ranges that we used, with and without the external IP address.  I have had the rule above and below the default "Permit All" claim rule.

I am not even sure where or what to look at here to figure out exactly what is going on.  Any help or knowledge share is greatly appreaciated.

Thanks

sb

July 24th, 2015 3:24pm

Hi,
 
For ADFS related issues, I would suggest you post in the dedicated forum, where you can get more experienced responses:
 
https://social.msdn.microsoft.com/Forums/vstudio/en-US/home?forum=Geneva
 
The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us. Thank you for your understanding.
 

Regards,

Eth

Free Windows Admin Tool Kit Click here and download it now
July 27th, 2015 12:45am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics