This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 27%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAN%3C/text%3E%3C/svg%3E)
Hi,
I'm curious if there is any way of blocking access to all relying parties on an ADFS instance (Windows Server 2012 R2), by denying access based on an incoming claim.
I know that according to the documentation a deny rule can be implemented based on a specific attribute (e.g. user is member to a specific group). However that needs to be configured on each relying party.
I would be interested in finding if there is a mechanism through which this deny rule can be applied once globally and it will cover both existing relying parties and new ones that might show up in the future.
The best that I can think of is creating a PowerShell script that will run inside a scheduled task (let's say daily), it checks all relying parties for the existence of this rule (including newly added RPs), and if the rule is not there it will add it to the RP.
Is there a better approach than the scheduled PowerShell script?
Thanks.
It has to be done per RP. You could create a group, issue a deny claim if a user is a member of that group and set that on all RP. You don't need a schedule task, you can just add or remove user from that group.
Or, you could add the user account to the local policy Deny access to this computer from the network and the user cannot use ADFS all together :)
So that clears the question whether it needs to be done for each RP or not.
I'll also take a look at the local policy for denying access to specific users on the ADFS servers.
Thanks for the reply!