krypted.com

Tiny Deathstars of Foulness

I covered managing devices based on policy in http://krypted.com/microsoft-exchange-server/manage-activesync-policies-on-ios-using-powershell-in-exchange-2016/. One of those policies is “modern authentication”, Azure Passthrough Authentication, or OAuth if you will. To enable it, log into Exchange Online via PowerShell and run the set-OrganizationConfig to set -OAuth2ClientProfileEnabled to True:

Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

If you’re using Skype, do an override:

Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed

Now check that OAuth was enabled properly:

Get-CsOAuthConfiguration

And viola, you’ve caught up to where WordPress was at with OAuth 8 years ago! Next, check the global ADFS authentication rule:

Get-AdfsAdditionalAuthenticationRule

And you can use Set-AdfsAdditionalAuthenticationRule. Now, you should be able to check the ADFS rules required for a given MFA requirement:

Get-AdfsRelyingPartyTrust –Name "Krypted"

And then if necessary, set them:

Set-AdfsRelyingPartyTrust –TargetRelyingParty Krypted –AdditionalAuthenticationRules ‘c: [Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-21-Insert your Group SID here"] && [Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");’

You can then check groups:

GetADGroup -Identity "Krypted Users"

May 9th, 2017

Posted In: Microsoft Exchange Server, Network Infrastructure, Windows Server

Tags: , , , , ,