Update-ADFS_RelyingPartyTrust.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
#Requires -RunAsAdministrator
#Requires -Version 5.0

<#
     .SYNOPSIS
        Update ADFS Relying Party Trust configuration .
    .DESCRIPTION
        Update ADFS Relying Party Trust configuration for SecureMfa Threat Detection Module. Apply customised MFA configuration for Relying Party.
 
        Dependencies:
        Windows 2019 ADFS service or later.
 
    .NOTES
        Version: 2.0.0.4
        Author: SecureMfa.com
        Creation Date: 02/08/2021
        Purpose/Change: Incorporated into PS module
   
    .EXAMPLE
        Update-ADFS_RelyingPartyTrust -RP_Name 'claimapp4' -RPmode 'SecureMFA_TDM'
 
        This command will update ADFS RelyingPartyTrust configuration to work with SecureMfa Threat Detection Module by converting existing Access Control Policy to compatible IssuanzeAuthorizationPolicy.
 
    .EXAMPLE
        Update-ADFS_RelyingPartyTrust -RP_Name 'claimapp4' -RPmode 'None' -SecureMfaOtpProvider -CertificateAuthentication
 
        This command will update ADFS RelyingPartyTrust configuration to use "SecureMFA OTP Provider" and "Certificate authentication" for second-factor authentication. All other MFA providers will not be visible for users when accessing the updated Relying Party.
            
#>


Function Update-ADFS_RelyingPartyTrust {
Param
(  
    [Parameter(Mandatory=$true)][string]$RP_Name,
    [Parameter(Mandatory=$false)][ValidateSet('SecureMFA_TDM','None')][string]$RPmode='SecureMFA_TDM',
    [Parameter(Mandatory=$false)][Switch]$SecureMfaOtpProvider,
    [Parameter(Mandatory=$false)][Switch]$SecureMfaEmailOtpProvider,
    [Parameter(Mandatory=$false)][Switch]$SecureMfaApiOtpProvider,
    [Parameter(Mandatory=$false)][Switch]$AzureMfaAuthentication,
    [Parameter(Mandatory=$false)][Switch]$CertificateAuthentication,
    [Parameter(Mandatory=$false)][Switch]$MicrosoftPassportAuthentication,
    [Parameter(Mandatory=$false)][Switch]$FormsAuthentication,
    [Parameter(Mandatory=$false)][Switch]$WindowsAuthentication,
    [Parameter(Mandatory=$false)][Switch]$DeviceAuthentication,
    [Parameter(Mandatory=$false)][Switch]$AzurePrimaryAuthentication,
    [Parameter(Mandatory=$false)][Switch]$Force    
)  

    try
    {
    $Error.Clear()


    if (!$Force) {
    $message  = "Do you want to update ADFS RelyingPartyTrust " + $RP_Name + " ?";            
    $question = 'Please confirm?'
    $choices = New-Object Collections.ObjectModel.Collection[Management.Automation.Host.ChoiceDescription]
    $choices.Add((New-Object Management.Automation.Host.ChoiceDescription -ArgumentList '&Yes'))
    $choices.Add((New-Object Management.Automation.Host.ChoiceDescription -ArgumentList '&No'))
    $decision_Validation = $Host.UI.PromptForChoice($message, $question, $choices, 0)
    if ($decision_Validation -eq 1 ) {Write-Host "ADFS RelyingPartyTrust configuration has been cancelled, exiting!" -ForegroundColor Yellow ; break}
    }
    
    #Validate if RP exist
    if(!(Get-AdfsRelyingPartyTrust -Name $RP_Name)) {throw "RelyingPartyTrust $RP_Name doesn't exist. Please use a valid RelyingPartyTrust name and try again. " ; break}
        
    #Start RP update
    Get-AdfsRelyingPartyTrust -Name $RP_Name | Set-AdfsRelyingPartyTrust -AccessControlPolicyName $null
    Set-AdfsRelyingPartyTrust -TargetName $RP_Name -IssuanceAuthorizationRules '=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");'
    
    #SecureMfa Threat Detection Module config
    if($RPmode -eq 'SecureMFA_TDM') {
        Set-AdfsRelyingPartyTrust -TargetName $RP_Name -AdditionalAuthenticationRules 'exists([Type == "http://schemas.microsoft.com/ws/2017/04/identity/claims/riskscore", Value == "low"])=>issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn"); exists([Type == "http://schemas.microsoft.com/ws/2017/04/identity/claims/riskscore", Value == "medium"])=>issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn"); exists([Type == "http://schemas.microsoft.com/ws/2017/04/identity/claims/riskscore", Value == "high"])=>issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn"); exists([Type == "http://schemas.microsoft.com/ws/2017/04/identity/claims/riskscore", Value == "notevaluated"])=>issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");'
        
        # Complete
        write-host "ADFS RelyingPartyTrust $RP_Name has been configured with SecureMfa Threat Detection Module IssuanzeAuthorizationPolicy." -ForegroundColor Green
    }
    #None config
    else 
    {
    $MFAProvidersList = [System.Collections.ArrayList]::new()
    $AdditionalMFAProviders = "";
    $AdditionalAuthenticationRule = 'c:[] =>issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod",Value = "http://schemas.microsoft.com/claims/multipleauthn");'
    if($FormsAuthentication) {$AdditionalAuthenticationRule += 'c:[] => issue(Type = "http://schemas.microsoft.com/claims/authnmethodsproviders",Value = "FormsAuthentication");';$AdditionalMFAProviders += "FormsAuthentication";[void]$MFAProvidersList.Add('FormsAuthentication');}
    if($WindowsAuthentication) {$AdditionalAuthenticationRule += 'c:[] => issue(Type = "http://schemas.microsoft.com/claims/authnmethodsproviders",Value = "WindowsAuthentication");';$AdditionalMFAProviders += "WindowsAuthentication";[void]$MFAProvidersList.Add('WindowsAuthentication');}
    if($CertificateAuthentication) {$AdditionalAuthenticationRule += 'c:[] => issue(Type = "http://schemas.microsoft.com/claims/authnmethodsproviders",Value = "CertificateAuthentication");';$AdditionalMFAProviders += "CertificateAuthentication";[void]$MFAProvidersList.Add('CertificateAuthentication');}
    if($DeviceAuthentication) {$AdditionalAuthenticationRule += 'c:[] => issue(Type = "http://schemas.microsoft.com/claims/authnmethodsproviders",Value = "DeviceAuthentication");';$AdditionalMFAProviders += "DeviceAuthentication";[void]$MFAProvidersList.Add('DeviceAuthentication');}
    if($AzurePrimaryAuthentication) {$AdditionalAuthenticationRule += 'c:[] => issue(Type = "http://schemas.microsoft.com/claims/authnmethodsproviders",Value = "AzurePrimaryAuthentication");';$AdditionalMFAProviders += "AzurePrimaryAuthentication";[void]$MFAProvidersList.Add('AzurePrimaryAuthentication');}
    if($AzureMfaAuthentication) {$AdditionalAuthenticationRule += 'c:[] => issue(Type = "http://schemas.microsoft.com/claims/authnmethodsproviders",Value = "AzureMfaAuthentication");';$AdditionalMFAProviders += "AzureMfaAuthentication";[void]$MFAProvidersList.Add('AzureMfaAuthentication');}
    if($MicrosoftPassportAuthentication) {$AdditionalAuthenticationRule += 'c:[] => issue(Type = "http://schemas.microsoft.com/claims/authnmethodsproviders",Value = "MicrosoftPassportAuthentication");';$AdditionalMFAProviders += "MicrosoftPassportAuthentication";[void]$MFAProvidersList.Add('MicrosoftPassportAuthentication');}
    if($SecureMfaOtpProvider) {$AdditionalAuthenticationRule += 'c:[] => issue(Type = "http://schemas.microsoft.com/claims/authnmethodsproviders",Value = "SecureMfaOtpProvider");';$AdditionalMFAProviders += "SecureMfaOtpProvider";[void]$MFAProvidersList.Add('SecureMfaOtpProvider');}
    if($SecureMfaEmailOtpProvider) {$AdditionalAuthenticationRule += 'c:[] => issue(Type = "http://schemas.microsoft.com/claims/authnmethodsproviders",Value = "SecureMfaEmailOtpProvider");';$AdditionalMFAProviders += "SecureMfaEmailOtpProvider";[void]$MFAProvidersList.Add('SecureMfaEmailOtpProvider');}
    if($SecureMfaApiOtpProvider) {$AdditionalAuthenticationRule += 'c:[] => issue(Type = "http://schemas.microsoft.com/claims/authnmethodsproviders",Value = "SecureMfaApiOtpProvider");';$AdditionalMFAProviders += "SecureMfaApiOtpProvider";[void]$MFAProvidersList.Add('SecureMfaApiOtpProvider');}
    
    if ($MFAProvidersList.Count -eq 0) {throw "RelyingPartyTrust $RP_Name cannot update with no MFA providers. Please use a switch for the MFA provider and try again. " ; break}
    else 
        {    
            #Update RP
            Set-AdfsRelyingPartyTrust -TargetName $RP_Name -AdditionalAuthenticationRules $AdditionalAuthenticationRule
            #Update MFA providers lists
            Set-AdfsGlobalAuthenticationPolicy -AdditionalAuthenticationProvider $MFAProvidersList

            # Complete
            write-host "ADFS RelyingPartyTrust $RP_Name has been configured with custom MFA providers: $AdditionalMFAProviders" -ForegroundColor Green 
        } 
    }  
        
    }
    catch
    {
        Write-Host "$($MyInvocation.InvocationName): $_" -ForegroundColor red
    } 

}