Create a Rule to Permit or Deny Users Based on an Incoming Claim

Applies To: Windows Server 2016, Windows Server 2012 R2

In Windows Server 2016, you can use an Access Control Policy to create a rule that will permit of deny users based on an incoming claim. In Windows Server 2012 R2, using the Permit or Deny Users Based on an Incoming Claim rule template in Active Directory Federation Services (AD FS), you can create an authorization rule that will grant or deny user’s access to the relying party based on the type and value of an incoming claim.

For example, you can use this to create a rule that will permit only users that have a group claim with a value of Domain Admins to access the relying party. If you want to permit all users to access the relying party, use the Permit Everyone Access Control Policy or the Permit All Users rule template depending on your version of Windows Server. Users who are permitted to access the relying party from the Federation Service may still be denied service by the relying party.

You can use the following procedure to create a claim rule with the AD FS Management snap-in.

Membership in Administrators, or equivalent, on the local computer is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups.

To create a rule to permit users based on an incoming claim on Windows Server 2016

  1. In Server Manager, click Tools, and then select AD FS Management.

  2. In the console tree, under AD FS, click Access Control Policies. create rule

  3. Right-click and select Add Access Control Policy. create rule

  4. In the name box, enter a name for your policy, a description and click Add. create rule

  5. On the Rule Editor, under users, place a check in with specific claims in the request and click the underlined specific at the bottom. create rule

  6. On the Select Claims screen, click the Claims radio button, select the Claim type, the Operator, and the Claim Value then click Ok. create rule

  7. On the Rule Editor click Ok. On the Add Access Control Policy screen, click Ok.

  8. In the AD FS Management console tree, under AD FS, click Relying Party Trusts. create rule

  9. Right-click the Relying Party Trust that you want to permit access to and select Edit Access Control Policy.
    create rule

  10. On the Access control policy select your policy and then click Apply and Ok. create rule

To create a rule to deny users based on an incoming claim on Windows Server 2016

  1. In Server Manager, click Tools, and then select AD FS Management.

  2. In the console tree, under AD FS, click Access Control Policies. create rule

  3. Right-click and select Add Access Control Policy. create rule

  4. In the name box, enter a name for your policy, a description and click Add. create rule

  5. On the Rule Editor, make sure everyone is selected and under Except place a check in with specific claims in the request and click the underlined specific at the bottom. create rule

  6. On the Select Claims screen, click the Claims radio button, select the Claim type, the Operator, and the Claim Value then click Ok. create rule

  7. On the Rule Editor click Ok. On the Add Access Control Policy screen, click Ok.

  8. In the AD FS Management console tree, under AD FS, click Relying Party Trusts. create rule

  9. Right-click the Relying Party Trust that you want to permit access to and select Edit Access Control Policy.
    create rule

  10. On the Access control policy select your policy and then click Apply and Ok. create rule

To create a rule to permit or deny users based on an incoming claim on Windows Server 2012 R2

  1. In Server Manager, click Tools, and then select AD FS Management.

  2. In the console tree, under AD FS\Trust Relationships\Relying Party Trusts, click a specific trust in the list where you want to create this rule.

  3. Right-click the selected trust, and then click Edit Claim Rules.
    create rule

  4. In the Edit Claim Rules dialog box, click the Issuance Authorization Rules tab or the Delegation Authorization Rules tab (based on the type of authorization rule you require), and then click Add Rule to start the Add Authorization Claim Rule Wizard.
    create rule

  5. On the Select Rule Template page, under Claim rule template, select Permit or Deny Users Based on an Incoming Claim from the list, and then click Next.
    create rule

  6. On the Configure Rule page under Claim rule name type the display name for this rule, in Incoming claim type select a claim type in the list, under Incoming claim value type a value or click Browse (if it is available) and select a value, and then select one of the following options, depending on the needs of your organization:

    • Permit access to users with this incoming claim

    • Deny access to users with this incoming claim
      create rule

  7. Click Finish.

  8. In the Edit Claim Rules dialog box, click OK to save the rule.

Additional references

Configure Claim Rules

Checklist: Creating Claim Rules for a Relying Party Trust

When to Use an Authorization Claim Rule

The Role of Claims

The Role of Claim Rules