Hey all,
Hoping someone might have some insight or suggestions RE the above. My organisation is currently using AD FS v3 to sign users into Microsoft online services. We have a set of custom claims that disallow access to some resources when the user is not on the corporate network:
exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"])
&& NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip", Value =~ "<regex_externalIPs>"])
&& NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value == "/adfs/ls/"])
&& NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value == "Microsoft.Exchange.ActiveSync"])
&& NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value == "Microsoft.Exchange.Autodiscover"])
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "DenyUsersWithClaim");
In addition to the above, I'm trying to allow Skype for Business through the relying party when on or off the corporate network. However what I'm finding is that Skype for Business isn't identifying itself in the assertion so I can put an additional claim in such as:
&& NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value == "Microsoft.Lync"])
I'm wondering if anyone has any suggestions or if they've managed to achieve the same with a claim?