Ask a new question

AdSync and ADFS access during a non-business hour

Using AD Logon Restrictions along with ADFS/Directory Sync works fine to block OWA access during a non-business hour schedule because a user is unable to login through the web form.  Users are still able to conduct e-mail business on their smartphones through ActiveSync during those non-business hours though.  We need to prevent ActiveSync from syncing to Office365 based on a timed schedule of when it would and would not work.  This should also be based on security groups and not just an all or nothing approach.

Reply of user in old discution:

ActiveSync requests hit different endpoint on the AD FS, so make sure you have included it. I'm not sure that you can avoid the token caching however (i.e. user that logs 10 mins before the restrictions are in effect will be happily using the mobile device for the next few hours).

someone already managed to configure the activesync so that it complies with the same authentication rules that owa ?

As someone already replied, once the client (Outlook, ActiveSync, whatever) has a valid token, it can continue accessing the service until the token expires, without contacting your AD FS server.

In your case (French laws?), you can probably run a script that disables certain email protocols every night and re-enables them in the morning, but that's surely gonna cause some havoc. Your legislators are certainly not in their right minds :)

1 person found this reply helpful

·

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

The token validate time I managed to change, using the command:

Set-OrganizationConfig -ActivityBasedAuthenticationTimeoutInterval 00:05:00

Every 5 minutes OWA, Skype fo Business and Outlook, request the password and if it is recorded only confirm if the outlook it does it automatically.

My problem is with the Android and iOS phones that seem to ignore the command, even I can set up a new account on any of these devices during the time when the service is locked in AD.

I'm trying to do the scripts to:

Set-CASMailbox -Identity (user) -ActiveSyncEnabled $ false (and true), yet without success.

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Hi KleberAdriano,

For the ADFS Logon Restrictions configuration queries, we suggest you contact the Active Directory Federation Services Support Forum for dedicated assistance.

*Note: On June 17th, this community is migrating to Microsoft Community at http://answers.microsoft.com. If you need further assistance, please post a new question to the Office 365 for business forum beginning June 18th Pacific Time. Thank you for your understanding.

Best Regards,
Alex

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

 
 

Question Info

Last updated March 23, 2022 Views 767 Applies to: