This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 90%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
I need to restrict external ADFS access through the WAP to a certain relying party trust (365 federation) to only those in a particular AD group. I need all other internal ADFS requests to remain as "permit all"
Can I apply a policy to the WAPs only for a single relying party?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Your non-Office 365 apps which utilize ADFS for authentication won't be able to use the Azure AD conditional access policies. You'll need to set up access control policies within ADFS for them since the auth requests for those apps don't touch Azure AD.
If you look at this chart you'll see that conditional access isn't supported with WAP. Web Application Proxy is only preferred in scenarios that require a proxy server for AD FS. If you want to make use of Conditional Access you need to modify the federation to use Azure AD instead of ADFS.
Official documentation:
A good blog post on this topic.
OK thank you.
I think I'm being dumb
I want to allow access to a particular RPT from:
1 everyone internally 2 only those in particular AD group over the internet
I've a singe Access Control Policy with two rules:
1 Permit Users - from intranet network 2 Permit Users - from internet network - and from DOMAIN\ADGROUP group
the text above the rules states "permit access if any of the following rules are met"
Are the conditions on the second rule not correct for allowing users in a certain group external access? Intranet access is fine.
Are you even using Azure AD and Conditional Access Policies in your scenario? I am asking because you added the tag azure-ad-conditional-access but it does not look like your question has anything to do with it.