Skip to content
Docs

ADFS Access Control Policies with PowerShell

This reference explains how to create custom ADFS access control policies using PowerShell. Use this when the built-in ADFS policies are insufficient — for example, when you need location-based MFA rules that require multi-factor authentication only for extranet users while allowing intranet users through without MFA.

Prerequisites

Section titled “Prerequisites”
  • A working ADFS environment with the Mideye ADFS Module installed and configured.
  • Administrative access to the ADFS server (PowerShell).
  • Knowledge of the AD security group SIDs and IP ranges for your organization.

1. Export an existing policy

Section titled “1. Export an existing policy”

Get the access control policy settings (these cannot be exported to file directly):

Terminal window
Get-AdfsAccessControlPolicy -Name "Network dependent mfa policy"

Get the policy XML metadata (this can be saved to a file):

Terminal window
(Get-AdfsAccessControlPolicy -Name "Network dependent mfa policy").PolicyMetadata | fl *

2. Policy XML structure

Section titled “2. Policy XML structure”

The following example policy has two rules:

RuleConditionsEffect
Rule 1User is member of group S-1-5-21-…-1104 and request comes from 10.0.1.0/24 or 172.16.0.0/16Allow without MFA
Rule 2User is member of group S-1-5-21-…-1104 and request comes from extranetRequire MFA
<?xml version="1.0" encoding="UTF-8"?>
    <PolicyMetadata xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.datacontract.org/2012/04/ADFS">
        <RequireFreshAuthentication>false</RequireFreshAuthentication>
        <IssuanceAuthorizationRules>
            <Rule>
            <Conditions>
                <Condition i:type="LocationCondition">
                <Operator>Equals</Operator>
                <Values>
                    <Value>10.0.1.0/24</Value>
                    <Value>172.16.0.0/16</Value>
                </Values>
                </Condition>
                <Condition i:type="GroupMembershipCondition">
                <Operator>Equals</Operator>
                <Values>
                    <Value>S-1-5-21-2403268988-2362025418-4073813711-1104</Value>
                </Values>
                </Condition>
            </Conditions>
            </Rule>
            <Rule>
            <Conditions>
                <Condition i:type="LocationCondition">
                <Operator>Equals</Operator>
                <Values>
                    <Value>extranet</Value>
                </Values>
                </Condition>
                <Condition i:type="GroupMembershipCondition">
                <Operator>Equals</Operator>
                <Values>
                    <Value>S-1-5-21-2403268988-2362025418-4073813711-1104</Value>
                </Values>
                </Condition>
                <Condition i:type="MultiFactorAuthenticationCondition">
                <Operator>IsPresent</Operator>
                <Values />
                </Condition>
            </Conditions>
            </Rule>
        </IssuanceAuthorizationRules>
    </PolicyMetadata>

3. Import the policy

Section titled “3. Import the policy”
Terminal window
New-AdfsAccessControlPolicy -Name "MyTestPolicy" -PolicyMetadataFile c:\Filename.xml

After importing, assign the policy to a relying party trust in the ADFS Management console or via PowerShell:

Terminal window
Set-AdfsRelyingPartyTrust -TargetName "My Application" -AccessControlPolicyName "MyTestPolicy"
Section titled “Related links”

Mideye documentation

Section titled “Mideye documentation”

Official Microsoft documentation

Section titled “Official Microsoft documentation”