, , , , , , , , , , , , , , ,

Restrict Access to Office 365 Exchange Online | HowTo | 2 of 2

Restrict Access to Office 365 Exchange Online PaRT 2
Part One | Part Two

In Part One we learnt:

  1. Install and update Windows Server with Active Directory Federation Services version 2.0 (AD FS 2.0) with update Rollup 2, KB2681584.

  2. Set-up AD FS for Office 365 for Single Sign-On.


    To continue . . .

  3. Add five claim rules to the Active Directory Claims Provider trust.

    Use the following procedure to add a set of claim rules that make the new claim types available to the policy engine. In this step, you will have to add five acceptance transform rules for each of the new request context claim types using the following procedure.  On the Active Directory claims provider trust, create a new acceptance transform rule to pass through each of the new request context claim types.

    a. Select Start, go to Programs, then to Administrative Tools. Click on AD FS 2.0 Management.

    b. In the console tree, under AD FS 2.0Trust Relationships, click Claims Provider Trusts, right-click Active Directory, and then click Edit Claim Rules.

    c. In the Edit Claim Rules dialog box, select the Acceptance Transform Rules tab, and then click Add Rule to start the Rule wizard.

    d. On the Select Rule Template page, under Claim Rule Template, select Pass Through or Filter an Incoming Claim from the list, and then click Next.

    e. On the Configure Rule page, under Claim Rule Name, type the display name for this rule; in Incoming Claim Type, paste the Issued Claim Type URL, and then select Pass through all claim values. Complete this step for all five Issued Claim Type URLs below:

    Rule Name Issued Claim Type URL
    EQ-Forwarded-client-ip https://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip
    EQ-client-application https://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application
    EQ-client-user-agent https://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent
    EQ-Proxy https://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy
    EQ-endpoint-absolute-path https://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path

    f. To verify the first rule, EQ-Forwarded-client-ip select it in the list and click Edit Rule, then click View Rule Language. The claim rule language should appear as follows:

    c:[Type == “https://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip”%5D => issue(claim = c)

    g. Click Finish and in the Edit Claim Rules dialog box, click OK to save the rules.

  4. Create a rule to block all external IP address access to Office 365 & Exchange Online

    If you want to simply block access to Office 365 & Exchange Online from the public Internet you need to carry out the following:

    a. Click Start, point to Programs, point to Administrative Tools, and then click AD FS 2.0 Management.

    b. In the console tree, under AD FS 2.0Trust Relationships, click Claims Provider Trusts, right-click Active Directory, and then click Edit Claim Rules.

    c. In the Edit Claim Rules dialog box, select the Acceptance Transform Rules tab, and then click Add Rule to start the Rule wizard.

    d. On the Select Rule Template page, under Claim Rule Template, select Pass Through or Filter an Incoming Claim from the list, and then click Next.

    e. On the Configure Rule page, under Claim Rule Name, type the display name for this rule, such as Block Office 365 Exchange Online from the Internet. Under Custom Rule, paste the following claim rule language syntax:

    exists([Type == "https://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) && NOT exists([Type == "https://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip", Value=~"customer-provided public ip address regex"]) => issue(Type = "https://schemas.microsoft.com/authorization/claims/deny", Value = "true");

    customer-provided public ip address regexBuilding the IP address range expression

  5. Update the Microsoft Office 365 Identity Platform relying party trust

    This step allows you to configure what type of clients to block. Below there is a custom block scenario. Block all external access to Office 365, except Exchange ActiveSync and browser-based applications such as Outlook Web Access or SharePoint Online.

    exists([Type == “https://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy”%5D) &&

    The ‘Type’ x-ms-proxy exists. This  means that the claim came through an ADFS Proxy (or other compatible proxy such as Azure).

    NOT exists([Type == “https://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application”, Value==”Microsoft.Exchange.Autodiscover”]) &&

    ClientApplication is RPC or WebServices. The ‘or’ can be used (using the ‘|’ character) syntax to check the value field. The value of this is Microsoft.Exchange.Autodiscover.

    NOT exists([Type == “https://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application”, Value==”Microsoft.Exchange.ActiveSync”]) &&

    ClientApplication is RPC or WebServices. The ‘or’ can be used (using the ‘|’ character) syntax to check the value field. The value of this is Microsoft.Exchange.ActiveSync.

    NOT exists([Type == “https://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path”, Value == “/adfs/ls/”])

    The type x-ms-endpoint-absolute-path exists and has a value of for the ls policy. This is the name of the endpoint for _Active_ ADFS Claim.

    NOT exists([Type == “https://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip”, Value=~”b192.168.1.([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-5][0-9])b|b255.255.255.255b”]) &&

    The value for the type x-ms-forwarded-client-ip has a value that DOES NOT MATCH the regular expression “”. The only allowed range is 192.168.1.0 to 192.168.1.255 plus a single address 255.255.255.255.

    i. What is the source of “x-ms-forwarded-client-ip” and what are the values we should expect to see? ii. What is the format of the expression? Building the IP address range expression

    => issue(Type = “https://schemas.microsoft.com/authorization/claims/deny”, Value = “true”);

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!

/3 Comments/by
You might also like
Serviceteam IT Security News Now published: the NCSC’s new guidance on risk management for cyber security
The Stark Reality of the Cost of a Global Cyber-Security Attack The Stark Reality of a Global Cyber-Security Attack
Multi-Cloud Network Transparency Telco Transparency and Multi-Cloud Connect
What Office 365 Plan is right for you? Which Office 365 Plan is right for you? [Infographic]
GDPR Impact UK Cloud Survey GDPR Impact: UK Cloud Survey 2017
Amazon Web Services (AWS) Glossary Amazon Web Services (AWS) | Glossary
3 replies
  1. Antonio King
    Antonio King says:

    Great guide, thank you so much!
    Step 4d. Shouldn’t the claim rule template be “Send Claims Using a Custom Rule” and not “Pass Through or Filter an Incoming Claim”?

      • Antonio King
        Antonio King says:

        Thanks Sebastian,
        The problem is there is no “Custom rule” or “custom rule name” fields for the “Pass Through or Filter an Incoming Claim”
        These two options are only available for the “Send Claims Using a Custom Rule”

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply