search

X-Guardian / AdfsDsc

DSC resources for deployment and configuration of Active Directory Federation Services
MIT License
9 stars 5 forks source link

AdfsWebApiApplication: Add Support for Access Control Policy Parameters #19

Closed X-Guardian closed 4 years ago

X-Guardian commented 4 years ago

The AdfsWebApiApplication resource needs to support Access Control Policy Parameters.

New resource property required:

Property Name Type Description
AccessControlPolicyParameters MSFT_AdfsAccessControlPolicyParameters Specifies the parameters and their values to pass to the Access Control Policy.

The MSFT_AdfsAccessControlPolicyParameters class would contain the following properties:

Parameter Type ValueMap Description
GroupParameter String Array Specifies the group parameter

This is enough to provide support for the built-in Access Control Policies and the ability to later add support for custom Access Control Policies.

Here are details of the built-in Access Control Policies and what parameters they take:

AccessControlPolicyName                                              AccessControlPolicyParameters
-----------------------                                              -----------------------------
Permit everyone
Permit everyone and require MFA
Permit everyone and require MFA for specific group                   {GroupParameter}
Permit everyone and require MFA from extranet access
Permit everyone and require MFA from unauthenticated devices
Permit everyone and require MFA, allow automatic device registration
Permit everyone for intranet access
Permit specific group                                                {GroupParameter}

Example AccessControlPolicyParameters property:

AccessControlPolicyParameters = MSFT_AdfsAccessControlPolicyParameter
    @{
        GroupParameter = @(
            'CONTOSO\AppGroup1 Users'
            'CONTOSO\AppGroup1 Admins'
        )
    }