I have setup an ADFS 3.0 environment with 2 ADFS servers and 2 WAP servers to authenticate to O365 and now I would like to prohibit employees from using O365 from home unless they are in a particular AD group. I have completed a described below but it still allows access to anyone regardless of IP and/or group.
Basically if a person is not in the group represented by the SID in rule 2 and they are coming from anywhere else other than the inside network 192.168.0.0/24 then deny. Anyone in the inside network should be allowed.
I followed https://technet.microsoft.com/en-us/library/dn592182.aspx as close as I could and have the following:
Issuance authorization rule 1
[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip", Value =~ "\b192\.168\.([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-5][0-9])\.([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-5][0-9])\b"]
&& [Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"]
=> issue(Type = "http://custom/ipoutsiderange", Value = "true");
Issuance authorization rule 2
NOT EXISTS([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-21-2587162438-2260194770-2272142157-8805"])
=> add(Type = "http://custom/groupsid", Value = "fail");
Issuance authorization rule 3
[Type == "http://custom/ipoutsiderange", Value == "true"]
&& c2:[Type == "http://custom/groupsid", Value == "fail"]
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "DenyUsersWithClaim");
Issuance authorization rule 4
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");
Any ideas what I am missing?