Modern Access Control Policies for Office 365 Relying Party

So I have been playing with ADFS on Windows Server 2016 TP4, to discover new functionality and features. One of the things I really like is the ability to assign Access Control Policies now – and the Rule Editor behind it. These policies are found in the new “Access Control Policies” node in the AD FS management console.

The idea is that you configure Access Control Policies, that reflect your security requirements, and later assign them to applications. Depending on the security requirements, you would assign the application to one of your Access Control Policies – stricter or less strict, with MFA, without MFA.

When you need to change your security policies and need to touch the Access Control Policy, it will automatically be changed for all applications that have the policy assigned. No need to touch multiple Relying Parties or applications any more.

Microsoft delivers a number of Access Control Policies out of the box:


Creating a new Access Control Policy is easy. You give it a name and a description, and add multiple Rules to the policy. A Rule will consist of multiple conditions, that you can select and fill with parameters. It’s a neat Rule Editor, similar to the experience you have in Outlook, when setting up a Rule or an Alert:


Access Control Policies are the new way of granting access to Relying Parties – and less complex than Claim Rules (if you happened to be exposed to them).

New Relying Parties can be assigned these policies, by using the right-click context menu on a Relying Party and select “Edit Access Control Policy”. The policy get into effect – and when users try to access the Relying Party, the policy is evaluated and – based on the Rule Set, a decision is made for access or not – and if required, MFA invoked.

Now this is all nice and good for new Relying Parties that you put in place. I upgraded my ADFS farm to Windows Server 2016, by replacing the nodes with ADFS servers on Windows Server 2016 TP4 – and I found something curious: the “Microsoft Office 365 Identity Platform” Relying Party for O365 didn’t have the “Edit Access Control Policy” option.

Yeah – I created that Relying Party before, and sure enough, the “old” model of granting access (Claim Rules) may not be compatible with the new Access Control Policies – at least that was my guess. So I fiddled around, looking for a way to convert it, and found an unsual looking link on the “Edit Claim Rules for Microsoft Office 365 Relying Party” dialog, after right-clicking the O365 RP and selecing “Edit Claim Rules…”


Clicking that “Use access control policy” “link” did convert the Relying Party – and I was able to configure Access Control Policy for it.

Let’s see what the UI/option will look like in RTM.

No Comment