locked
Claim Rules for different groups RRS feed

  • Question

  • We have the below claim rule in affect now for all our users, it was implemented using PS command:

    c:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value =~ "(/adfs/ls)|(/adfs/oauth2)"]
     && [Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"]
     => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");

    Basically states if coming in through a browser then get prompted for Multifactor.  This works well as expected.  

    We would like to do some testing with this rule but only apply it to an AD group of users:

    NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application",
    Value=="Microsoft.Exchange.ActiveSync"]) && exists([Type ==  "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"])
    && NOT EXISTS([Type == "http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser"])
    => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");

    We would want ANYONE who is not a member of our test AD group to get the first (default) claim rule applied to them and anyone who is in our test AD group get this second claim rule applied to them.

    Is it possible to accomplish this?  If so, how can we do this?  Appreciate any help.


    Rich

    Monday, May 23, 2016 6:45 PM

All replies