Client Access Policy Builder

Hotfix Rollup Update 2 for AD FS 2.0 had a new feature named Client Access Policy. Office 365 customers can create policies that limit access to Office 365 services based on where client resides. This tool automates the creation of these policies for the most common scenarios.

 
 
 
 
 
4.4 Star
(20)
9,767 times
Add to favorites
Active Directory
6/17/2013
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question


  • Suppport for ADFS 2.1 / 3.0 / 4.0
    1 Posts | Last post November 29, 2018
    • Will the Script be modified to work on Windows 2012 R2 / 2016 without modification
      Will the script be modified to use RegEx for whole IP Subnets (And add multiple Subnets) 
      
      ADFS 2.1 - Windows Server 2012
      ADFS 3.0 - Windows Server 2012 R2
      ADFS 4.0 - Windows Server 2016
      
      Current Scipt needs to be modified for Windows 2012
      Search for this line in the code:
           If (($OSVersion.Major -eq 6) -and ($OSVersion.Minor -eq 2))
      Change it to 
           If (($OSVersion.Major -eq 6) -and ($OSVersion.Minor -ge 2))
      
      Tested and working on Windows 2008 / 2008 R2 / 2012 R2 
      
      Thanks 
  • Block all external Access to O365
    2 Posts | Last post November 29, 2018
    • Hi Adam,
      Great tool indeed. Unfortunately I could not use it as I had multiple ranges from different locations. Can you guide a bit on how to verify the regex expression built is correct. I tried online verification tools but got totally confused how to use it. My expression looks like
      
      exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"])
       && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip", Value =~ "\b151\.100\.0\.([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-5][0-9])\b|\b151\.100\.\([1-32]\.(1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-5][0-9])\b|\b33\.177\.86\.1[0-9][0-9]|2[0-5][0-9])\b|"])
       => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");
       
      Regards,
      Abhishek
    • Works fine for me, I have done it for multiple customers who have multiple locations. 
      The Regular Expression is quite long in most cases but the end result is perfect. 
      Example:
      - 8 different sites all linked via VPN 
      - Your RegEx would need to include all internal private IP
      - Your RegEx would need to include all Publicly facing public IP 
      Regards,
      
  • ADFS 3.0 as well?
    1 Posts | Last post July 13, 2018
    • Does this script function / perform the same on ADFS 3.0?
  • Skype For Business Policy Building
    1 Posts | Last post August 02, 2017
    • I have activated the policy rule for blocks outlook access from the internet. Outlook access is only allowed if the request is from some public ip addresses.
      I need to allow access to Skype For business, and this rule seems to be in conflict with the rule for outlook
  • Skype For Business Policy Building
    1 Posts | Last post August 02, 2017
    • Ho attivato la regola che blocca l'accesso di outlook da internet e viene consentito solo se la richiesta avviene da alcuni indirizzi ip pubblici.
      Ho bisogno di consentire l'accesso a Skype For business, e questa regola sembra che vada in conflitto con la regola per outlook
      
  • how to achieve a scenario completely opposite to "Block all external access to Office 365, except for browser-based applications such as Outlook Web Access or SharePoint Online"
    1 Posts | Last post March 03, 2016
    • I need to block the access of O365 services like OWA and Sharepoint/OneDrive through the web browsers on mobile devices, and be only accessible using Intune Managed Outlook and OneDrive App so that we can apply Mobile Application Management Polices effectively.
  • Confuse Building the IP address range expression
    2 Posts | Last post February 03, 2016
    • I have private ip 172.16.100.x/24,172.16.1.x/24 and public ip 110.164.x.x/29.  
      1. what is value for range expression ?
      2. I should input private ip or public ip ???
      
    • OK Must be install ADFS PROXY !!!!
  • ADFS 3.0
    1 Posts | Last post June 11, 2015
    • Hi, can you posto the .ps1 already changed for Windows 2012 R2?
      
      It´s normal to see the message Could not Write to 'Active Directory' CP Trust?
  • Is something planeed for 3.0 farm ?
    2 Posts | Last post August 25, 2014
    • I have been using this builder for a while now including 3.0 farm implementation. I have to manually copy the claim rule from a 2.0 farm and manually edit the regex for IP ranges. It would be nice to just run and automate everything inside a 3.0 farm.
      hopefully something is on the build ?
      
      Cheers !!
      Sai Prasad
    • I figured a way to get this to work with ADFS 3.0.
      
      Search for this line in the code If (($OSVersion.Major -eq 6) -and ($OSVersion.Minor -eq 2)) and change it to "If (($OSVersion.Major -eq 6) -and ($OSVersion.Minor -ge 2))"
      
      Cheers !!
      Sai Prasad
  • Limiting to ActiveSync should include Autodiscover as well
    3 Posts | Last post June 19, 2014
    • With the option to limit all external access except ActiveSync, the rule syntax does not include Microsoft.Exchange.ActiveSync, which is recommended here: http://technet.microsoft.com/en-us/library/hh526961(v=ws.10).aspx 
      
      Imho, the CAS Builder should be updated to include Autodiscover together with ActiveSync. Thanks.
    • Hi Jasper,
      
      When the "block all except ActiveSync" option is selected, the following code executes:
      
          $radiobuttonBlockExceptEAS_CheckedChanged={ 
              If ($radiobuttonBlockExceptEAS.Checked) 
              { 
          $Global:ClaimRuleLanguage = @" 
      @RuleName = "Permit Access to All Users" 
       => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true"); 
      @RuleName = "Block all external access to Office 365 except Exchange ActiveSync" 
      exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) && 
      NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", 
      Value=="Microsoft.Exchange.ActiveSync"]) && 
      NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip", 
      Value=~"IPPlaceholder"]) 
      => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true"); 
      "@     
              } 
               
          } 
      
      Notice the inclusion of Microsoft.Exchange.ActiveSync in the rule language.
      
      Does this help?
      
      Thank you,
      Adam Conkle - MSFT
      
    • Hi Adam, 
      
      Thanks. It was a type-o from my side, I meant that ActiveSync does not include Autodiscover. Autodiscover is missing in the allow ActiveSync option in the builder, but in the TechNet article explaining the scenarios, ActiveSync comes together with Autodiscover.
      
      Thanks,
      Jesper Ståhle
1 - 10 of 15 Items