Advanced ADFS Claims Rules for Office 365 SSO
A colleague sent me a blog post from the Directory Services Team title “An ADFS Claims Rules Adventure” This post is very informative and pretty cool. It talks about setting up ADFS Claims rule to tightly control access for Office 365. I have previously looked into how to control access to Office 365 mailbox/SharePoint resources and from what I found it appeared the best way to implement granular control was via ForeFront Unified Access Gateway as the ADFS Proxy provider. But the blog post I reference above does a much better job explaining how using the ADFS Claims rules to accomplish restricted access. The Blog post talks about how to control access with the following requirements:
- No one shall access email via Outlook when off the corporate network
- Members of a specific security group may not use ActiveSync
- Members of a specific security group may not access OWA off the corporate network
- All OWA users must log in via a forms based login
I strongly recommend reading this even if you do not have a need for Access Control for Office 365, this shows you the power of ADFS and how you can leverage Claims rules!
Wanted to ensure everyone saw the link that Max Grillenberger Posted on the comments:
have a look at the Client Access Policy Builder for ADFS 2.0 including Hotfix Rollup Update 2 http://gallery.technet.microsoft.com/scriptcenter/Client-Access-Policy-30be8ae2 – a great GUI tool to deploy ADFS rules.
I also found a tweet from Joshua Maher (@JoshMaher) around customizing ADFS 2.0 UI, http://www.mikepfeiffer.net/2012/05/useful-cutomizations-to-ad-fs-2-0-when-deploying-sso-with-office-365/ (Links to a blog Post by Fellow MVP Mike Pfeiffer, @mike_pfeiffer) (Wow that was cool, getting to type “Fellow MVP”, first time I was able to write that down!)