krypted.com

Tiny Deathstars of Foulness

I covered managing devices based on policy in http://krypted.com/microsoft-exchange-server/manage-activesync-policies-on-ios-using-powershell-in-exchange-2016/. One of those policies is “modern authentication”, Azure Passthrough Authentication, or OAuth if you will. To enable it, log into Exchange Online via PowerShell and run the set-OrganizationConfig to set -OAuth2ClientProfileEnabled to True: Set-OrganizationConfig -OAuth2ClientProfileEnabled $true If you’re using Skype, do an override: Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed Now check that OAuth was enabled properly: Get-CsOAuthConfiguration And viola, you’ve caught up to where WordPress was at with OAuth 8 years ago! Next, check the global ADFS authentication rule: Get-AdfsAdditionalAuthenticationRule And you can use Set-AdfsAdditionalAuthenticationRule. Now, you should be able to check the ADFS rules required for a given MFA requirement: Get-AdfsRelyingPartyTrust –Name "Krypted" And then if necessary, set them: Set-AdfsRelyingPartyTrust –TargetRelyingParty Krypted –AdditionalAuthenticationRules ‘c: [Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-21-Insert your Group SID here"] && [Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");’ You can then check groups: GetADGroup -Identity "Krypted Users"

May 9th, 2017

Posted In: Microsoft Exchange Server, Network Infrastructure, Windows Server

Tags: , , , , ,