Table of contents
TOC
Collapse the table of content
Expand the table of content

Manage Risk with Conditional Access Control

Bill Mathers|Last Updated: 2/10/2017

Applies To: Windows Server 2012 R2

Key concepts - conditional access control in AD FS

The overall function of AD FS is to issue an access token that contains a set of claims. The decision regarding what claims AD FS accepts and then issues is governed by claim rules.

Access control in AD FS is implemented with issuance authorization claim rules that are used to issue a permit or deny claims that will determine whether a user or a group of users will be allowed to access AD FS-secured resources or not. Authorization rules can only be set on relying party trusts.

Rule optionRule logic
Permit all usersIf incoming claim type equals any claim type and value equals any value, then issue claim with value equals Permit
Permit access to users with this incoming claimIf incoming claim type equals specified claim type and value equals specified claim value, then issue claim with value equals Permit
Deny access to users with this incoming claimIf incoming claim type equals specified claim type and value equals specified claim value, then issue claim with value equals Deny

For more information about these rule options and logic, see When to Use an Authorization Claim Rule.

In AD FS in Windows Server 2012 R2, access control is enhanced with multiple factors, including user, device, location, and authentication data. This is made possible by a greater variety of claim types available for the authorization claim rules. In other words, in AD FS in Windows Server 2012 R2, you can enforce conditional access control based on user identity or group membership, network location, device (whether it is workplace joined, for more information, see Join to Workplace from Any Device for SSO and Seamless Second Factor Authentication Across Company Applications), and the authentication state (whether multifactor authentication (MFA) was performed ).

Conditional access control in AD FS in Windows Server 2012 R2, offers the following benefits:

  • Flexible and expressive per-application authorization policies, whereby you can permit or deny access based on user, device, network location, and authentication state

  • Creating issuance authorization rules for relying party applications

  • Rich UI experience for the common conditional access control scenarios

  • Rich claims language & Windows PowerShell support for advanced conditional access control scenarios

  • Custom (per relying party application) 'Access Denied' messages. For more information, see Customizing the AD FS Sign-in Pages. By being able to customize these messages, you can explain why a user is being denied access and also facilitate self-service remediation where it is possible, for example, prompt users to workplace join their devices. For more information, see Join to Workplace from Any Device for SSO and Seamless Second Factor Authentication Across Company Applications.

The following table includes all the claim types available in AD FS in Windows Server 2012 R2 to be used for implementing conditional access control.

Claim typeDescription
Email AddressThe email address of the user.
Given NameThe given name of the user.
NameThe unique name of the user,
UPNThe user principal name (UPN) of the user.
Common NameThe common name of the user.
AD FS 1 x E-mail AddressThe email address of the user when interoperating with AD FS 1.1 or AD FS 1.0.
GroupA group that the user is a member of.
AD FS 1 x UPNThe UPN of the user when interoperating with AD FS 1.1 or AD FS 1.0.
RoleA role that the user has.
SurnameThe surname of the user.
PPIDThe private identifier of the user.
Name IDThe SAML name identifier of the user.
Authentication time stampUsed to display the time and date that the user was authenticated.
Authentication methodThe method used to authenticate the user.
Deny only group SIDThe deny-only group SID of the user.
Deny only primary SIDThe deny-only primary SID of the user.
Deny only primary group SIDThe deny-only primary group SID of the user.
Group SIDThe group SID of the user.
Primary group SIDThe primary group SID of the user.
Primary SIDThe primary SID of the user.
Windows account nameThe domain account name of the user in the form of domain\user.
Is Registered UserUser is registered to use this device.
Device IdentifierIdentifier of the device.
Device Registration IdentifierIdentifier for Device Registration.
Device Registration Display NameDisplay name of Device Registration.
Device OS TypeOperating system type of the device.
Device OS VersionOperating system version of the device.
Is Managed DeviceDevice is managed by a management service.
Forwarded Client IPIP address of the user.
Client ApplicationType of the client application.
Client User AgentDevice type the client is using to access the application.
Client IPIP address of the client.
Endpoint PathAbsolute Endpoint path which can be used to determine active versus passive clients.
ProxyDNS name of the federation server proxy that passed the request.
Application IdentifierIdentifier for the relying party.
Application policiesApplication policies of the certificate.
Authority Key IdentifierThe authority key identifier extension of the certificate that signed an issued certificate.
Basic ConstraintOne of the basic constraints of the certificate.
Enhanced Key UsageDescribes one of the enhanced key usages of the certificate.
IssuerThe name of the certification authority that issued the X.509 certificate.
Issuer NameThe distinguished name of the certificate issuer.
Key UsageOne of the key usages of the certificate.
Not AfterDate in local time after which a certificate is no longer valid.
Not BeforeThe date in local time on which a certificate becomes valid.
Certificate PoliciesThe policies under which the certificate has been issued.
Public KeyPublic key of the certificate.
Certificate Raw DataThe raw data of the certificate.
Subject Alternative NameOne of the alternative names of the certificate.
Serial NumberThe serial number of the certificate.
Signature AlgorithmThe algorithm used to create the signature of a certificate.
SubjectThe subject from the certificate.
Subject Key IdentifierThe subject key identifier of the certificate.
Subject NameThe subject distinguished name from a certificate.
V2 Template NameThe name of the version 2 certificate template used wen issuing or renewing a certificate. This is a Microsoft-specific value.
V1 Template NameThe name of the version 1 certificate template used when issuing or renewing a certificate. This is a Microsoft-specific value.
ThumbprintThumbprint of the certificate.
X 509 VersionThe X.509 format version of the certificate.
Inside Corporate NetworkUsed to indicate if a request originated from inside the corporate network.
Password Expiration TimeUsed to display the time when the password expires.
Password Expiration DaysUsed to display the number of days to password expiry.
Update Password URLUsed to display the web address of update password service.
Authentication Methods ReferencesUsed to indicate al authentication methods used to authenticate the user.

Managing Risk with Conditional Access Control

Using the available settings, there are many ways in which you can manage risk by implementing conditional access control.

Common Scenarios

For example, imagine a simple scenario of implementing conditional access control based on the user's group membership data for a particular application (relying party trust). In other words, you can set up an issuance authorization rule on your federation server to permit users that belong to a certain group in your AD domain access to a particular application that is secured by AD FS. The detailed step by step instructions (using the UI and Windows PowerShell) for implementing this scenario are covered in Walkthrough Guide: Manage Risk with Conditional Access Control. In order to complete the steps in this walkthrough, you must set up a lab environment and follow the steps in Set up the lab environment for AD FS in Windows Server 2012 R2.

Advanced Scenarios

Other examples of implementing conditional access control in AD FS in Windows Server 2012 R2 include the following:

  • Permit access to an application secured by AD FS only if this user's identity was validated with MFA

    You can use the following code:

    @RuleTemplate = "Authorization"
    @RuleName = "PermitAccessWithMFA"
    c:[Type == "http://schemas.microsoft.com/claims/authnmethodsreferences", Value =~ "^(?i)http://schemas\.microsoft\.com/claims/multipleauthn$"] => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "PermitUsersWithClaim");
    
  • Permit access to an application secured by AD FS only if the access request is coming from a workplace joined device that is registered to the user

    You can use the following code:

    @RuleTemplate = "Authorization"
    @RuleName = "PermitAccessFromRegisteredWorkplaceJoinedDevice"
    c:[Type == "http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser", Value =~ "^(?i)true$"] => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "PermitUsersWithClaim");
    
  • Permit access to an application secured by AD FS only if the access request is coming from a workplace joined device that is registered to a user whose identity has been validated with MFA

    You can use the following code

    @RuleTemplate = "Authorization"
    @RuleName = "RequireMFAOnRegisteredWorkplaceJoinedDevice"
    c1:[Type == "http://schemas.microsoft.com/claims/authnmethodsreferences", Value =~ "^(?i)http://schemas\.microsoft\.com/claims/multipleauthn$"] &&
    c2:[Type == "http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser", Value =~ "^(?i)true$"] => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "PermitUsersWithClaim");
    
  • Permit extranet access to an application secured by AD FS only if the access request is coming from a user whose identity has been validated with MFA.

    You can use the following code:

    @RuleTemplate = "Authorization"
    @RuleName = "RequireMFAForExtranetAccess"
    c1:[Type == "http://schemas.microsoft.com/claims/authnmethodsreferences", Value =~ "^(?i)http://schemas\.microsoft\.com/claims/multipleauthn$"] &&
    c2:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value =~ "^(?i)false$"] => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "PermitUsersWithClaim");
    

See Also

Walkthrough Guide: Manage Risk with Conditional Access ControlSet up the lab environment for AD FS in Windows Server 2012 R2

© 2017 Microsoft