設定驗證原則Configure Authentication Policies

適用於: Windows Server 2012 R2Applies To: Windows Server 2012 R2

AD FS,在 Windows Server 2012 R2 中, 存取控制和驗證機制增強了多因素包含使用者、 裝置、 位置及驗證資料。In AD FS, in Windows Server 2012 R2, both access control and the authentication mechanism are enhanced with multiple factors that include user, device, location, and authentication data. 這些調節可讓您,透過使用者介面或透過 Windows PowerShell,來管理的廣告 FS\ 保護的應用程式透過 multi\ 雙因素存取控制和 multi\ 雙因素驗證為基礎的使用者身分或群組成員資格網路位置,workplace\ 加入的裝置資料的存取權限授與和驗證狀態 multi\ 雙因素驗證 (MFA) 是時執行。These enhancements enable you, either through the user interface or through Windows PowerShell, to manage the risk of granting access permissions to AD FS-secured applications via multi-factor access control and multi-factor authentication that are based on user identity or group membership, network location, device data that is workplace-joined, and the authentication state when multi-factor authentication (MFA) was performed.

如需有關在 Windows Server 2012 R2 在 Active Directory 同盟服務 (AD FS) MFA 和 multi\ 雙因素存取控制的詳細資訊,請下列主題:For more information about MFA and multi-factor access control in Active Directory Federation Services (AD FS) in Windows Server 2012 R2 , see the following topics:

AD FS 管理 snap\ 中透過驗證原則的設定Configure authentication policies via the AD FS Management snap-in

資格在系統管理員,或相當於、 在本機電腦上的最低需求才能完成這些程序。Membership in Administrators, or equivalent, on the local computer is the minimum requirement to complete these procedures. 檢視詳細資料使用適當的帳號,並群組成員資格,本機和網域預設群組Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups.

AD FS,在 Windows Server 2012 R2,您可以指定在適用於所有應用程式與服務都會受到 AD FS 全域範圍驗證原則。In AD FS, in Windows Server 2012 R2, you can specify an authentication policy at a global scope that is applicable to all applications and services that are secured by AD FS. 您也可以設定驗證原則的特定應用程式和服務,依賴廠商信任受到 AD FS。You can also set authentication policies for specific applications and services that rely on party trusts and are secured by AD FS. 指定特定應用程式可以依據驗證原則廠商信任不覆寫全球驗證原則。Specifying an authentication policy for a particular application per relying party trust does not override the global authentication policy. 如果全球或每個信賴驗證原則需要 MFA,MFA 廠商信任使用者嘗試這個信賴廠商信任驗證時觸發。If either global or per relying party trust authentication policy requires MFA, MFA is triggered when the user tries to authenticate to this relying party trust. 全球驗證原則是後援信賴廠商信任的應用程式和服務,不需要特定的設定的驗證原則。The global authentication policy is a fallback for relying party trusts for applications and services that do not have a specific configured authentication policy.

若要在 Windows Server 2012 R2 全球設定主要驗證To configure primary authentication globally in Windows Server 2012 R2

  1. 在伺服器管理員中,按一下工具,然後選取 [ AD FS 管理In Server Manager, click Tools, and then select AD FS Management.

  2. 在 [AD FS snap\ 中,按一下 [驗證原則In AD FS snap-in, click Authentication Policies.

  3. 主要驗證區段中,按編輯旁邊通用設定In the Primary Authentication section, click Edit next to Global Settings. 您也可以按一下 right*驗證原則,然後選取 [編輯全球主要驗證,或在動作] 窗格中,選取編輯全球主要驗證You can also right-click **Authentication Policies, and select **Edit Global Primary Authentication, or, under the **Actions* pane, select Edit Global Primary Authentication.
    驗證原則

  4. 編輯全球驗證原則視窗中,在主要索引標籤上,您可以全球驗證原則的一部分來進行下列設定:In the Edit Global Authentication Policy window, on the Primary tab, you can configure the following settings as part of the global authentication policy:

若要設定可以依據主要驗證廠商信任To configure primary authentication per relying party trust

  1. 在伺服器管理員中,按一下工具,然後選取 [ AD FS 管理In Server Manager, click Tools, and then select AD FS Management.

  2. 在 AD FS snap\ 中,按一下 [驗證原則\每可以廠商信任,然後按一下您想要設定 [驗證原則的依賴廠商信任。In AD FS snap-in, click Authentication Policies\Per Relying Party Trust, and then click the relying party trust for which you want to configure authentication policies.

  3. Right-按一下信賴信任的您想要設定 [驗證原則,然後選取 [編輯自訂主要驗證,或在執行] 窗格中,選取編輯自訂主要驗證Either right-click the relying party trust for which you want to configure authentication policies, and then select Edit Custom Primary Authentication, or, under the Actions pane, select Edit Custom Primary Authentication.
    驗證原則

  4. 編輯驗證原則 < relying_party_trust_name >視窗中,在主要索引標籤上,您可以設定的下列設定的一部分每可以方信任驗證原則:In the Edit Authentication Policy for <relying_party_trust_name> window, under the Primary tab, you can configure the following setting as part of the Per Relying Party Trust authentication policy:

    • 使用者是否需要提供認證 sign\ 在每次透過使用者的所提供的認證 sign\ 在每次的核取方塊。Whether users are required to provide their credentials each time at sign-in via the Users are required to provide their credentials each time at sign-in check box.
      驗證原則

若要設定多因素驗證全球To configure multi-factor authentication globally

  1. 在伺服器管理員中,按一下工具,然後選取 [ AD FS 管理In Server Manager, click Tools, and then select AD FS Management.

  2. 在 [AD FS snap\ 中,按一下 [驗證原則In AD FS snap-in, click Authentication Policies.

  3. Multi\ 雙因素驗證區段中,按編輯旁邊通用設定In the Multi-factor Authentication section, click Edit next to Global Settings. 您也可以按一下 right*驗證原則,並選取全球編輯 Multi\ 雙因素驗證,或在動作] 窗格中,選取全球編輯 Multi\ 雙因素驗證You can also right-click **Authentication Policies, and select **Edit Global Multi-factor Authentication, or, under the **Actions* pane, select Edit Global Multi-factor Authentication.
    驗證原則

  4. 編輯全球驗證原則視窗中,在Multi\ 雙因素索引標籤上,您可以全球 multi\ 雙因素驗證原則的一部分來進行下列設定:In the Edit Global Authentication Policy window, under the Multi-factor tab, you can configure the following settings as part of the global multi-factor authentication policy:

    • 設定或條件 MFA 可用的選項,在透過群組 Users\ 日裝置,並位置區段。Settings or conditions for MFA via available options under the Users/Groups, Devices, and Locations sections.

    • 若要讓 MFA 適用於這些設定,您必須選取至少一個額外的驗證方法。To enable MFA for any of these settings, you must select at least one additional authentication method. 憑證驗證會預設使用的選項。Certificate Authentication is the default available option. 您也可以設定,例如 Windows Azure Active 驗證其他自訂額外的驗證方法。You can also configure other custom additional authentication methods, for example, Windows Azure Active Authentication. 如需詳細資訊,請查看逐步解說快速入門: 管理其他多因素驗證敏感的應用程式的風險For more information, see Walkthrough Guide: Manage Risk with Additional Multi-Factor Authentication for Sensitive Applications.

警告

您只能全球設定額外的驗證方法。You can only configure additional authentication methods globally.
驗證原則

若要設定可以依據 multi\ 雙因素驗證廠商信任To configure multi-factor authentication per relying party trust

  1. 在伺服器管理員中,按一下工具,然後選取 [ AD FS 管理In Server Manager, click Tools, and then select AD FS Management.

  2. 在 AD FS snap\ 中,按一下 [驗證原則\每可以廠商信任,然後按一下您想要設定 MFA 信賴廠商信任。In AD FS snap-in, click Authentication Policies\Per Relying Party Trust, and then click the relying party trust for which you want to configure MFA.

  3. Right-按一下信賴信任的您想要設定 MFA,然後選取 [編輯自訂 Multi\ 雙因素驗證,或在執行] 窗格中,選取編輯自訂 Multi\ 雙因素驗證Either right-click the relying party trust for which you want to configure MFA, and then select Edit Custom Multi-factor Authentication, or, under the Actions pane, select Edit Custom Multi-factor Authentication.

  4. 編輯驗證原則 < relying_party_trust_name >視窗中,在Multi\ 雙因素索引標籤上,您可以進行下列設定的一部分 per\ 信賴信任驗證原則:In the Edit Authentication Policy for <relying_party_trust_name> window, under the Multi-factor tab, you can configure the following settings as part of the per-relying party trust authentication policy:

    • 設定或條件 MFA 可用的選項,在透過群組 Users\ 日裝置,並位置區段。Settings or conditions for MFA via available options under the Users/Groups, Devices, and Locations sections.

設定 Windows PowerShell 透過驗證原則Configure authentication policies via Windows PowerShell

Windows PowerShell 中使用各種不同因素存取控制的更多彈性並的驗證方式,會提供 AD FS 進行驗證原則和授權的 Windows Server 2012 R2 中規則,所需實作 AD FS -secured 資源條件為 true 存取。Windows PowerShell enables greater flexibility in using various factors of access control and the authentication mechanism that are available in AD FS in Windows Server 2012 R2 to configure authentication policies and authorization rules that are necessary to implement true conditional access for your AD FS -secured resources.

系統管理員或等本機電腦上的成員資格是才能完成這些程序的最低需求。Membership in Administrators, or equivalent, on the local computer is the minimum requirement to complete these procedures. 檢視詳細資料使用適當的帳號,並群組成員資格,本機和網域預設群組\ (go.microsoft.com\ fwlink\ 方式 http://// # / 嗎?LinkId\ = 83477)。Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

若要設定額外的驗證方式,透過 Windows PowerShellTo configure an additional authentication method via Windows PowerShell

  1. 在您聯盟的伺服器,開放 Windows PowerShell 命令視窗中,執行下列命令。On your federation server, open the Windows PowerShell command window and run the following command.
`Set-AdfsGlobalAuthenticationPolicy –AdditionalAuthenticationProvider CertificateAuthentication  `

警告

若要確認已順利執行這個命令時,您可以執行Get-AdfsGlobalAuthenticationPolicy命令。To verify that this command ran successfully, you can run the Get-AdfsGlobalAuthenticationPolicy command.

若要設定 MFA per\ 可以廠商信任,使用者的群組成員資格資料會根據To configure MFA per-relying party trust that is based on a user’s group membership data

  1. 在您聯盟的伺服器,開放 Windows PowerShell 命令視窗中,執行下列命令:On your federation server, open the Windows PowerShell command window and run the following command:
`$rp = Get-AdfsRelyingPartyTrust –Name relying_party_trust`  

警告

確定要取代< relying_party_trust >您信賴的派對信任的名稱。Ensure to replace <relying_party_trust> with the name of your relying party trust.

  1. 在同一個 Windows PowerShell 命令視窗中,執行下列命令。In the same Windows PowerShell command window, run the following command.
<span data-ttu-id="cbb79-169">$MfaClaimRule = 「 c: [輸入 = '」 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid' 」,值 = ~' 」 ^(?i) < group_SID >$ '」] = > 問題 (輸入 =' 」 http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod' 」,值 ' 」 http://schemas.microsoft.com/claims/multipleauthn' 「); 」</span><span class="sxs-lookup"><span data-stu-id="cbb79-169">$MfaClaimRule = “c:[Type == ‘“http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid’”, Value =~ ‘“^(?i) <group_SID>$’”] => issue(Type = ‘“http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod’”, Value ‘“http://schemas.microsoft.com/claims/multipleauthn’”);”</span></span> 

<span data-ttu-id="cbb79-170">設定-AdfsRelyingPartyTrust – TargetRelyingParty $rp – AdditionalAuthenticationRules $MfaClaimRule</span><span class="sxs-lookup"><span data-stu-id="cbb79-170">Set-AdfsRelyingPartyTrust –TargetRelyingParty $rp –AdditionalAuthenticationRules $MfaClaimRule</span></span>

注意

更換 < group_SID > 確保安全性識別碼的值與 (SID) 的 Active Directory (AD) 群組。Ensure to replace <group_SID> with the value of the security identifier (SID) of your Active Directory (AD) group.

若要設定 MFA 全球根據使用者群組成員資格資料To configure MFA globally based on users' group membership data

  1. 在您聯盟的伺服器,開放 Windows PowerShell 命令視窗中,執行下列命令。On your federation server, open the Windows PowerShell command window and run the following command.
<span data-ttu-id="cbb79-174">$MfaClaimRule = 「 c: [輸入 = '「 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid' 」,值 =' 「 group_SID' 「]</span><span class="sxs-lookup"><span data-stu-id="cbb79-174">$MfaClaimRule = “c:[Type == ‘" http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid’", Value == ‘"group_SID’"]</span></span>  
 <span data-ttu-id="cbb79-175">= > 問題 (類型 = '」 http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod' 」,值 =' 」 http://schemas.microsoft.com/claims/multipleauthn' 」)。 」</span><span class="sxs-lookup"><span data-stu-id="cbb79-175">=> issue(Type = ‘"http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod’", Value = ‘"http://schemas.microsoft.com/claims/multipleauthn’");”</span></span>  

<span data-ttu-id="cbb79-176">設定 AdfsAdditionalAuthenticationRule $MfaClaimRule</span><span class="sxs-lookup"><span data-stu-id="cbb79-176">Set-AdfsAdditionalAuthenticationRule $MfaClaimRule</span></span>  

注意

確定要取代< group_SID >的值為您的廣告群組的 SID。Ensure to replace <group_SID> with the value of the SID of your AD group.

若要 MFA 全球使用者的位置為基礎的設定To configure MFA globally based on user’s location

  1. 在您聯盟的伺服器,開放 Windows PowerShell 命令視窗中,執行下列命令。On your federation server, open the Windows PowerShell command window and run the following command.
<span data-ttu-id="cbb79-180">$MfaClaimRule = 「 c: [輸入 = '「 http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork' 」,值 =' 「 true_or_false' 「]</span><span class="sxs-lookup"><span data-stu-id="cbb79-180">$MfaClaimRule = “c:[Type == ‘" http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork’", Value == ‘"true_or_false’"]</span></span>  
 <span data-ttu-id="cbb79-181">= > 問題 (類型 = '」 http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod' 」,值 =' 」 http://schemas.microsoft.com/claims/multipleauthn' 」)。 」</span><span class="sxs-lookup"><span data-stu-id="cbb79-181">=> issue(Type = ‘"http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod’", Value = ‘"http://schemas.microsoft.com/claims/multipleauthn’");”</span></span>  

<span data-ttu-id="cbb79-182">設定 AdfsAdditionalAuthenticationRule $MfaClaimRule</span><span class="sxs-lookup"><span data-stu-id="cbb79-182">Set-AdfsAdditionalAuthenticationRule $MfaClaimRule</span></span>  

注意

確定要取代< true_or_false >使用truefalseEnsure to replace <true_or_false> with either true or false. 值特定規則條件是否存取要求來自外部網路或內部為基礎而定。The value depends on your specific rule condition that is based on whether the access request comes from the extranet or the intranet.

若要設定 MFA 全球根據使用者的裝置資料To configure MFA globally based on user’s device data

  1. 在您聯盟的伺服器,開放 Windows PowerShell 命令視窗中,執行下列命令。On your federation server, open the Windows PowerShell command window and run the following command.
<span data-ttu-id="cbb79-187">$MfaClaimRule = 「 c: [輸入 = ' 「 http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser' 」,值 = 」 true_or_false 「]</span><span class="sxs-lookup"><span data-stu-id="cbb79-187">$MfaClaimRule = "c:[Type == ‘" http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser’", Value == ‘"true_or_false"']</span></span>  
 <span data-ttu-id="cbb79-188">= > 問題 (類型 = '」 http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod' 」,值 =' 」 http://schemas.microsoft.com/claims/multipleauthn' 」)。 」</span><span class="sxs-lookup"><span data-stu-id="cbb79-188">=> issue(Type = ‘"http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod’", Value = ‘"http://schemas.microsoft.com/claims/multipleauthn’");"</span></span>  

<span data-ttu-id="cbb79-189">設定 AdfsAdditionalAuthenticationRule $MfaClaimRule</span><span class="sxs-lookup"><span data-stu-id="cbb79-189">Set-AdfsAdditionalAuthenticationRule $MfaClaimRule</span></span>  

注意

確定要取代< true_or_false >使用truefalseEnsure to replace <true_or_false> with either true or false. 值而定,根據該裝置是否 workplace\ 加入特定規則條件。The value depends on your specific rule condition that is based on whether the device is workplace-joined or not.

若要設定 MFA 全球如果要求存取其中的外部裝置或從 non\ workplace\ 加入裝置To configure MFA globally if the access request comes from the extranet and from a non-workplace-joined device

  1. 在您聯盟的伺服器,開放 Windows PowerShell 命令視窗中,執行下列命令。On your federation server, open the Windows PowerShell command window and run the following command.
`Set-AdfsAdditionalAuthenticationRule "c:[Type == '"http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser'", Value == '"true_or_false'"] && c2:[Type == '"http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork'", Value == '" true_or_false '"] => issue(Type = '"http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod'", Value ='"http://schemas.microsoft.com/claims/multipleauthn'");" ` 

注意

確定要取代的兩個實例< true_or_false >使用truefalse,它會隨著特定規則條件。Ensure to replace both instances of <true_or_false> with either true or false, which depends on your specific rule conditions. 規則條件為基礎的裝置是否 workplace\ 加入和是否存取要求來自外部網路或內部網路。The rule conditions are based on whether the device is workplace-joined or not and whether the access request comes from the extranet or intranet.

如果您存取來自某些群組外部網路使用者全球設定 MFATo configure MFA globally if access comes from an extranet user that belongs to a certain group

  1. 在您聯盟的伺服器,開放 Windows PowerShell 命令視窗中,執行下列命令。On your federation server, open the Windows PowerShell command window and run the following command.
<span data-ttu-id="cbb79-198">設定-AdfsAdditionalAuthenticationRule 」 c: [輸入 = `"http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid`「,值 = `"group_SID`」] 與與 c2: [輸入 = `"http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork`」,值 = `"true_or_false`」] = > 問題 (類型 = `"http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod`」,值 =' 」 http://schemas.microsoft.com/claims/</span><span class="sxs-lookup"><span data-stu-id="cbb79-198">Set-AdfsAdditionalAuthenticationRule "c:[Type == `"http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid`", Value == `"group_SID`"] && c2:[Type == `"http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork`", Value== `"true_or_false`"] => issue(Type = `"http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod`", Value =\`"http://schemas.microsoft.com/claims/</span></span>

注意

確定要取代< group_SID >群組 SID 的值與和< true_or_false >的其中truefalse,而定特定規則條件為基礎是否存取要求來自外部網路或內部網路。Ensure to replace <group_SID> with the value of the group SID and <true_or_false> with either true or false, which depends on your specific rule condition that is based on whether the access request comes from the extranet or intranet.

若要權限授與應用程式的使用者資料是透過 Windows PowerShellTo grant access to an application based on user data via Windows PowerShell

  1. 在您聯盟的伺服器,開放 Windows PowerShell 命令視窗中,執行下列命令。On your federation server, open the Windows PowerShell command window and run the following command.

    $rp = Get-AdfsRelyingPartyTrust –Name relying_party_trust  
    

注意

確定要取代< relying_party_trust >您信賴的派對信任的值。Ensure to replace <relying_party_trust> with the value of your relying party trust.

  1. 在同一個 Windows PowerShell 命令視窗中,執行下列命令。In the same Windows PowerShell command window, run the following command.

    
      $GroupAuthzRule = "@RuleTemplate = `“Authorization`” @RuleName = `"Foo`" c:[Type == `"http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid`", Value =~ `"^(?i)<group_SID>$`"] =>issue(Type = `"http://schemas.microsoft.com/authorization/claims/deny`", Value = `"DenyUsersWithClaim`");"  
    Set-AdfsRelyingPartyTrust –TargetRelyingParty $rp –IssuanceAuthorizationRules $GroupAuthzRule  
    

注意

確定要取代< group_SID >的值為您的廣告群組的 SID。Ensure to replace <group_SID> with the value of the SID of your AD group.

授與應用程式,這位使用者的身分,AD FS 才安全的存取權是以驗證 MFATo grant access to an application that is secured by AD FS only if this user’s identity was validated with MFA

  1. 在您聯盟的伺服器,開放 Windows PowerShell 命令視窗中,執行下列命令。On your federation server, open the Windows PowerShell command window and run the following command.
`$rp = Get-AdfsRelyingPartyTrust –Name relying_party_trust ` 

注意

確定要取代< relying_party_trust >您信賴的派對信任的值。Ensure to replace <relying_party_trust> with the value of your relying party trust.

  1. 在同一個 Windows PowerShell 命令視窗中,執行下列命令。In the same Windows PowerShell command window, run the following command.

    $GroupAuthzRule = "@RuleTemplate = `"Authorization`"  
    @RuleName = `"PermitAccessWithMFA`"  
    c:[Type == `"http://schemas.microsoft.com/claims/authnmethodsreferences`", Value =~ `"^(?i)http://schemas\.microsoft\.com/claims/multipleauthn$`"] => issue(Type = `"http://schemas.microsoft.com/authorization/claims/permit`", Value = ‘“PermitUsersWithClaim’");"  
    

授與僅 AD FS 受保護的應用程式的存取權的使用者如果存取要求是來自係 workplace\ 加入裝置To grant access to an application that is secured by AD FS only if the access request comes from a workplace-joined device that is registered to the user

  1. 在您聯盟的伺服器,開放 Windows PowerShell 命令視窗中,執行下列命令。On your federation server, open the Windows PowerShell command window and run the following command.

    $rp = Get-AdfsRelyingPartyTrust –Name relying_party_trust  
    

注意

確定要取代< relying_party_trust >您信賴的派對信任的值。Ensure to replace <relying_party_trust> with the value of your relying party trust.

  1. 在同一個 Windows PowerShell 命令視窗中,執行下列命令。In the same Windows PowerShell command window, run the following command.
<span data-ttu-id="cbb79-213">$GroupAuthzRule = 」@RuleTemplate = `"Authorization`「</span><span class="sxs-lookup"><span data-stu-id="cbb79-213">$GroupAuthzRule = "@RuleTemplate = `"Authorization`"</span></span>  
<span data-ttu-id="cbb79-214">@RuleName = `"PermitAccessFromRegisteredWorkplaceJoinedDevice`"</span><span class="sxs-lookup"><span data-stu-id="cbb79-214">@RuleName = `"PermitAccessFromRegisteredWorkplaceJoinedDevice`"</span></span>  
<span data-ttu-id="cbb79-215">c: [輸入 = `"http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser`「,值 = ~ `"^(?i)true$`「] = > 問題 (輸入 = `"http://schemas.microsoft.com/authorization/claims/permit`」,值 = `"PermitUsersWithClaim`」);</span><span class="sxs-lookup"><span data-stu-id="cbb79-215">c:[Type == `"http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser`", Value =~ `"^(?i)true$`"] => issue(Type = `"http://schemas.microsoft.com/authorization/claims/permit`", Value = `"PermitUsersWithClaim`");</span></span>  

以授與的存取權,僅 AD FS 受保護的應用程式已驗證的身分 MFA 的使用者如果存取要求是來自係 workplace\ 加入裝置To grant access to an application that is secured by AD FS only if the access request comes from a workplace-joined device that is registered to a user whose identity has been validated with MFA

  1. 在您聯盟的伺服器,開放 Windows PowerShell 命令視窗中,執行下列命令。On your federation server, open the Windows PowerShell command window and run the following command.
`$rp = Get-AdfsRelyingPartyTrust –Name relying_party_trust ` 

注意

確定要取代< relying_party_trust >您信賴的派對信任的值。Ensure to replace <relying_party_trust> with the value of your relying party trust.

  1. 在同一個 Windows PowerShell 命令視窗中,執行下列命令。In the same Windows PowerShell command window, run the following command.

    $GroupAuthzRule = ‘@RuleTemplate = “Authorization”  
    @RuleName = “RequireMFAOnRegisteredWorkplaceJoinedDevice”  
    c1:[Type == `"http://schemas.microsoft.com/claims/authnmethodsreferences`", Value =~ `"^(?i)http://schemas\.microsoft\.com/claims/multipleauthn$`"] &&  
    c2:[Type == `"http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser`", Value =~ `"^(?i)true$”] => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit`", Value = `"PermitUsersWithClaim`");"  
    

若要權限授與外部網路存取要求來自的使用者 MFA 的已驗證的身分,才 AD FS 受保護的應用程式To grant extranet access to an application secured by AD FS only if the access request comes from a user whose identity has been validated with MFA

  1. 在您聯盟的伺服器,開放 Windows PowerShell 命令視窗中,執行下列命令。On your federation server, open the Windows PowerShell command window and run the following command.
`$rp = Get-AdfsRelyingPartyTrust –Name relying_party_trust`  

注意

確定要取代< relying_party_trust >您信賴的派對信任的值。Ensure to replace <relying_party_trust> with the value of your relying party trust.

  1. 在同一個 Windows PowerShell 命令視窗中,執行下列命令。In the same Windows PowerShell command window, run the following command.
<span data-ttu-id="cbb79-224">$GroupAuthzRule = 」@RuleTemplate = `"Authorization`「</span><span class="sxs-lookup"><span data-stu-id="cbb79-224">$GroupAuthzRule = "@RuleTemplate = `"Authorization`"</span></span>  
<span data-ttu-id="cbb79-225">@RuleName = `"RequireMFAForExtranetAccess`"</span><span class="sxs-lookup"><span data-stu-id="cbb79-225">@RuleName = `"RequireMFAForExtranetAccess`"</span></span>  
<span data-ttu-id="cbb79-226">c1: [輸入 = `"http://schemas.microsoft.com/claims/authnmethodsreferences`「,值 = ~ `"^(?i)http://schemas\.microsoft\.com/claims/multipleauthn$`「] 與與</span><span class="sxs-lookup"><span data-stu-id="cbb79-226">c1:[Type == `"http://schemas.microsoft.com/claims/authnmethodsreferences`", Value =~ `"^(?i)http://schemas\.microsoft\.com/claims/multipleauthn$`"] &&</span></span>  
<span data-ttu-id="cbb79-227">c2: [輸入 = `"http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork`「,值 = ~ `"^(?i)false$`「] = > 問題 (輸入 = `"http://schemas.microsoft.com/authorization/claims/permit`」,值 = `"PermitUsersWithClaim`」); 」</span><span class="sxs-lookup"><span data-stu-id="cbb79-227">c2:[Type == `"http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork`", Value =~ `"^(?i)false$`"] => issue(Type = `"http://schemas.microsoft.com/authorization/claims/permit`", Value = `"PermitUsersWithClaim`");"</span></span>  

其他參考資料Additional references

AD FS 作業AD FS Operations