How to Block all extranet client access to Office 365

Some organizations may want to create policies that limit access to Microsoft  Office 365 services, depending on where the client resides.

For example, you might want to:

  • Block all extranet client access to Office 365.
  • Block all extranet client access to Office 365, except for devices accessing Exchange Online for Exchange Active Sync.

Active Directory Federation Services (AD FS) 2.0 or later version provides a way for organizations to configure these types of policies.
Office 365 customers using Single Sign-On (SSO) who require these policies can now use client access policy rules to restrict access based on the location of the computer or device that is making the request.

Note:Customers using Microsoft Online Services cloud User IDs cannot implement these restrictions at this time.

An AD FS 2.0 or later version of federation server proxy or a third-party proxy is required to forward requests from clients residing outside the corporate network to the internal Federation Service.

Overview of my lab:

  • One domain Controller installed in Windows 2008 R2 Enterprise Edition.
  • One Exchange 2010 SP3 RU16 multi role server (HUB,CAS & Mailbox) installed in Windows 2008 R2 Enterprise Edition.
  • One AD FS farm deployed in two Windows 2016 Datacenter edition servers.
  • One AzureAD Connect server running in Windows 2016 Datacenter Edition.
  • Two Web Application Proxy servers deployed using Windows 2016 Datacenter edition.
  • One domain joined client machine with Windows 8.1 installed.
  • One Non-domain client computer with Windows 8.1 installed, but it is in External network.
  • Two Kempload Masters :LB101 to load balance AD FS internal farm & LB102 to load balance Web Application Proxy servers.

image

Network details:

172.16.0.0/16 – Internal Network

192.168.0.0/24 & 192.168.1.0/24 – External Network.

One public IP address.

LoadMaster details:

LB101:

Network Interface 0 : 192.168.1.0/24

Network Interface 1 : 172.16.0.0/16

Default gateway – 192.168.1.1

172.16.0.13 – VIP  created in LB101 to load balance internal Active Directory Federation Services.

Exchange 2010 web services will be published via LB101 later.

image

LB102:

Network Interface 0 : 192.168.0.0/24

Network Interface 1 : 172.16.0.0/16

Default gateway – 192.168.0.1

192.168.0.100 – VIP created in LB102 to load balance AD FS Proxy farms.

image

At firewall end ,port 443 is opened for VIP 192.168.0.100 to allow AD FS external traffic.

Note:

  • None of the Exchange services published to internet.
  • Exchange 2010 Hybrid set up is not configured. Exchange 2010 is just installed to have it’s schema.
  • AzureAD Connect is used to sync on-premise AD objects to office365.
  • Purpose of AD FS and WAP servers: All office365 users password will be verified by the on-premises identity provider. In this scenario we didn’t synchronize on-premise users password to Azure Active Directory/Office365.


ADFS Server: Responsible for user authentication and issuance of claims. The Server must be able to connect to a Domain Controller. It authenticates users from multiple domains via windows trust.

ADFS Proxy Server: Authenticates users from the internet and protects the ADFS Server from Internet based threats.

ADFS configuration Database: Relying party trust, certificates, claim Provider trust, claims description, service configuration, attributes… are all stored in the Database. The entire content of the Database can be stored as in instance of SQL database or Windows Internal Database (max 5 servers) but not both at the same time.


To block all external office365 access,

  • First we need to add five acceptance transform rules for each of the new request context claim types using the following procedure.
  • On the Active Directory claims provider trust, create a new acceptance transform rule to pass through each of the new request context claim types.

To add a claim rule to the Active Directory claims provider trust for each of the five context claim types.

In the ADFS Management console tree, click Claims Provider Trusts, right-click Active Directory, and then click Edit Claim Rules.

clip_image002

In the Edit Claim Rules dialog box, click Add Rule to start the Rule wizard.

clip_image003

On the Select Rule Template page, under Claim rule template, select Pass Through or Filter an Incoming Claim from the list, and then click Next.

clip_image005

On the Configure Rule page, under Claim rule name, type the display name for this rule; in Incoming claim type, type the following claim type URL, and then select Pass through all claim values.

http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip

clip_image007

To verify the rule, select the rule we created in the list and click Edit Rule

clip_image008

Then click View Rule Language.

clip_image009

The claim rule language should appear as follows:

c:[Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip”] => issue(claim = c);

clip_image010

Click Finish.

In the Edit Claim Rules dialog box, click OK to save the rules.

Followed the above steps and created additional claim rule for each of the remaining four claim types shown below.

http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application

http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent

http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy

http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path

Now we have created all five acceptance transform rules as shown in the below screenshot.

clip_image001

Verification done for all rules and please find the claim rule language for remaining Acceptance Transform Rules

 

Rule Name: Pass through All x-ms-client-application
Claim rule language:

c:[Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application”]
=> issue(claim = c);

image

 

Rule Name: Pass through All x-ms-client-user-agent
Claim rule language:

c:[Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent”]
=> issue(claim = c);

image

Rule Name: Pass through All claims/x-ms-proxy
Claim rule language:
c:[Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy”]
=> issue(claim = c);

image

Rule Name: Pass through All x-ms-endpoint-absolute-path
Claim rule language:

c:[Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path”]
=> issue(claim = c);

image

In the AD FS Management console tree, click Relying Party Trusts

clip_image002[7]

Right-click the Microsoft Office 365 Identity Platform trust, and then click Edit Access Control Policy

clip_image004

Click Add Rule… to start the Claim Rule Wizard

clip_image005

On the Select Rule Template page, under Claim rule template, select Send Claims Using a Custom Rule, and then click Next.

clip_image007[6]

On the Configure Rule page, under Claim rule name, type the display name for this rule. Under Custom rule, type or paste the following claim rule language syntax:

exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy”]) &&

NOT exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip”,

Value=~”customer-provided public ip address regex”])

=> issue(Type = “http://schemas.microsoft.com/authorization/claims/deny”, Value = “true”);

Visit page https://technet.microsoft.com/en-us/library/hh526961(v=ws.10).aspx#build to know more about Regular expression.

In this scenario I have replaced the value above for “customer-provided public ip address regex” with a valid IP expression; \b192\.168\.0\.100\b

IP address 192.168.0.100 is the VIP address which is NATed.

Click Finish.

clip_image009

Verify the new rule appears immediately below the Permit Access to All Users rule in the Issuance Authorization Rules list. To save the rule, in the Edit Claim Rules dialog box, click OK.

image

 

 

 

Please watch this video to know the internal and External client behaviour after implementing this rule.

https://youtu.be/QFIXE9ogmTQ

Thanks for reading.

Leave a Reply

%d bloggers like this: