AD FS Policies

ESA installer sets the following AD FS authentication rules:

c:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"]

 => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");

c:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "true"]

 => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");

 

The rules above automatically enable two-factor authentication (2FA) for both internal and external networks.

If you use a third-party AD FS app that does not work properly with 2FA, and you want to exclude specific users from using 2FA to access that app, then you must edit the AD FS policy.

1.Open Windows PowerShell and execute the following command. This command verifies that the only additional authentication rules are the ones listed at the beginning of this section.

Get-AdfsAdditionalAuthenticationRule

2.To remove additional authentication rules, execute the following command:

Set-AdfsAdditionalAuthenticationRule -AdditionalAuthenticationRules ' '

3.Open AD FS Management, click Access Control Policies > Action > Add Access Control Policy.

4. Add the following two Permit Users rules:

I.Permit Users
from esa_domain\ESA Users groups
and require multi-factor authentication

II.Permit Users

If the Authentication Server is installed in Active Directory Integration mode, the esa_domain\ESA Users group is automatically created during installation, while esa_domain is replaced with the domain name of the Authentication Server.

If the Authentication Server is installed in Standalone mode, you have to create a user group and assign ESA users to the group.

The two Permit Users rules above will ensure, that 2FA is required only for users belonging to the specified group. For all other users the 2FA authentication page is skipped.

5.Click Relying Party Trusts, assign the policy to the applicable relying party.