Hi,
I'm curious if there is any way of blocking access to all relying parties on an ADFS instance (Windows Server 2012 R2), by denying access based on an incoming claim.
I know that according to the documentation a deny rule can be implemented based on a specific attribute (e.g. user is member to a specific group). However that needs to be configured on each relying party.
I would be interested in finding if there is a mechanism through which this deny rule can be applied once globally and it will cover both existing relying parties and new ones that might show up in the future.
The best that I can think of is creating a PowerShell script that will run inside a scheduled task (let's say daily), it checks all relying parties for the existence of this rule (including newly added RPs), and if the rule is not there it will add it to the RP.
Is there a better approach than the scheduled PowerShell script?
Thanks.