PS C:\Users\administrator.abc> Get-AdfsRelyingPartyTrust -name "Microsoft office 365 identity platform worldwide" | FL * AllowedAuthenticationClassReferences : {} EncryptionCertificateRevocationCheck : CheckChainExcludeRoot PublishedThroughProxy : False SigningCertificateRevocationCheck : CheckChainExcludeRoot WSFedEndpoint : https://login.microsoftonline.com/login.srf AdditionalWSFedEndpoint : {} ClaimsProviderName : {} ClaimsAccepted : {} EncryptClaims : True Enabled : True EncryptionCertificate : Identifier : {https://login.microsoftonline.com/extSTS.srf, https://login.windows.net/, urn:federation:MicrosoftOnline} NotBeforeSkew : 0 EnableJWT : False AlwaysRequireAuthentication : False Notes : OrganizationInfo : ObjectIdentifier : xxxxx-c850-eb11-b7f0-000c29db6547 ProxyEndpointMappings : {} ProxyTrustedEndpoints : {} ProtocolProfile : WsFed-SAML RequestSigningCertificate : {} EncryptedNameIdRequired : False SignedSamlRequestsRequired : False SamlEndpoints : {} SamlResponseSignature : AssertionOnly SignatureAlgorithm : http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 TokenLifetime : 0 AllowedClientTypes : Public, Confidential IssueOAuthRefreshTokensTo : AllDevices RefreshTokenProtectionEnabled : True RequestMFAFromClaimsProviders : False ScopeGroupId : Name : Microsoft Office 365 Identity Platform Worldwide AutoUpdateEnabled : True MonitoringEnabled : True MetadataUrl : https://nexus.microsoftonline-p.com/federationmetadata/2007-06/federationmetadat a.xml ConflictWithPublishedPolicy : False IssuanceAuthorizationRules : IssuanceTransformRules : @RuleName = "Issue UPN" c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/UPN"), query = "samAccountName={0};userPrincipalName;{1}", param = regexreplace(c.Value, "(?[^\\]+)\\(?.+)", "${user}"), param = c.Value); @RuleName = "Query objectguid and msdsconsistencyguid for custom ImmutableId claim" c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] => add(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2016/02/identity/claims/objectguid", "http://schemas.microsoft.com/ws/2016/02/identity/claims/msdsconsistencyguid"), query = "samAccountName={0};objectGUID,mS-DS-ConsistencyGuid;{1}", param = regexreplace(c.Value, "(?[^\\]+)\\(?.+)", "${user}"), param = c.Value); @RuleName = "Check for the existence of msdsconsistencyguid" NOT EXISTS([Type == "http://schemas.microsoft.com/ws/2016/02/identity/claims/msdsconsistencyguid"]) => add(Type = "urn:federation:tmp/idflag", Value = "useguid"); @RuleName = "Issue msdsconsistencyguid as Immutable ID if it exists" c:[Type == "http://schemas.microsoft.com/ws/2016/02/identity/claims/msdsconsistencyguid"] => issue(Type = "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID", Value = c.Value); @RuleName = "Issue objectGuidRule if msdsConsistencyGuid rule does not exist" c1:[Type == "urn:federation:tmp/idflag", Value =~ "useguid"] && c2:[Type == "http://schemas.microsoft.com/ws/2016/02/identity/claims/objectguid"] => issue(Type = "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID", Value = c2.Value); @RuleName = "Issue nameidentifier" c:[Type == "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Value = c.Value, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimpropert ies/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"); @RuleName = "Issue accounttype for domain-joined computers" c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "-515$", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"] => issue(Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", Value = "DJ"); @RuleName = "Issue AccountType with the value USER when it is not a computer account" NOT EXISTS([Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", Value == "DJ"]) => add(Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", Value = "User"); @RuleName = "Issue issuerid when it is not a computer account" c1:[Type == "http://schemas.xmlsoap.org/claims/UPN"] && c2:[Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", Value == "User"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value = regexreplace(c1.Value, "(?i)(^([^@]+)@)(?(abc\.com|abcd\.com))$", "http://${domain}/adfs/services/trust/")); @RuleName = "Issue issuerid for DJ computer auth" c1:[Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", Value == "DJ"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value = "http://abc.com/adfs/services/trust/"); @RuleName = "Issue onpremobjectguid for domain-joined computers" c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "-515$", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"] && c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"] => issue(store = "Active Directory", types = ("http://schemas.microsoft.com/identity/claims/onpremobjectguid"), query = ";objectguid;{0}", param = c2.Value); @RuleName = "Pass through primary SID" c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "-515$", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"] && c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"] => issue(claim = c2); @RuleName = "Pass through claim - insideCorporateNetwork" c:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork"] => issue(claim = c); @RuleName = "Pass Through Claim - Psso" c:[Type == "http://schemas.microsoft.com/2014/03/psso"] => issue(claim = c); @RuleName = "Issue Password Expiry Claims" c1:[Type == "http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime"] => issue(store = "_PasswordExpiryStore", types = ("http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime", "http://schemas.microsoft.com/ws/2012/01/passwordexpirationdays", "http://schemas.microsoft.com/ws/2012/01/passwordchangeurl"), query = "{0};", param = c1.Value); @RuleName = "Pass through claim - authnmethodsreferences" c:[Type == "http://schemas.microsoft.com/claims/authnmethodsreferences"] => issue(claim = c); @RuleName = "Pass through claim - multifactorauthenticationinstant" c:[Type == "http://schemas.microsoft.com/ws/2017/04/identity/claims/multifactora uthenticationinstant"] => issue(claim = c); @RuleName = "Pass through claim - certificate authentication - serial number" c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/serialnumber"] => issue(claim = c); @RuleName = "Pass through claim - certificate authentication - issuer" c:[Type == "http://schemas.microsoft.com/2012/12/certificatecontext/field/issuer"] => issue(claim = c); DelegationAuthorizationRules : LastPublishedPolicyCheckSuccessful : True LastUpdateTime : 1/18/2021 5:18:36 PM LastMonitoredTime : 2/10/2021 5:23:44 PM ImpersonationAuthorizationRules : AdditionalAuthenticationRules : AccessControlPolicyName : Cust - Permit Everyone from Intranet and ActiveSync from outside AccessControlPolicyParameters : ResultantPolicy : RequireFreshAuthentication:False IssuanceAuthorizationRules: { Permit users from IP range '192.168.0.0/20'; Permit users with 'http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client -application' claim equals to 'Microsoft.Exchange.ActiveSync' in the request; Permit users with 'http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwar ded-client-ip' claim equals to '111.222.333.444' in the request } PS C:\Users\administrator.abc>