Hello Everyone all right?
I'm trying to block access to OWA for external users except for a group of AD users that will be allowed
I used the article https://technet.microsoft.com/en-us/library/hh526961%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396 in
scenario 4 for AD groups, it even blocks by ip public OWA, but some users who use Outlook client within the network loses connection to Office 365.
But what happened after some time some users that use the outlook client internally started display an authentication screen to enter your
credentials and stopped receiving emails for outlook
What is wrong in the rule?
Type == "[http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip",
Value =~ "customer-provided public ip address regex"]
&&Type == "[http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork",
Value == "false"] => issue(Type = "http://custom/ipoutsiderange", Value = "true");
NOT EXISTS(Type == "[http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
Value == "Group SID value of allowed AD group"]) => add(Type = "http://custom/groupsid", Value = "fail");
[Type == "http://custom/ipoutsiderange", Value == "true"]
&&[Type == "http://custom/groupsid", Value == "fail"] => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny",
Value = "DenyUsersWithClaim");
c:[] => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit",
Value = "true");
Regards,
Leonardo Fogaça de Almeida