|
|
ADFS全称为Active Directory Federation Services,即活动目录联合服务,我们主要用来做账号登录认证。
为了方便对其策略进行配置,写了下面的脚本,必须在ADFS主服务器运行。
#------------------------------------------------------------------------------
#
# Copyright 2012 Microsoft Corporation. All rights reserved.
#
# THIS CODE AND ANY ASSOCIATED INFORMATION ARE PROVIDED “AS IS” WITHOUT
# WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT
# LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS
# FOR A PARTICULAR PURPOSE. THE ENTIRE RISK OF USE, INABILITY TO USE, OR
# RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE USER.
#
#------------------------------------------------------------------------------
#
# PowerShell Source Code
#
# NAME:
# Office 365 - Client Access Policy Builder.ps1
#
# VERSION:
# 1.0
#
#------------------------------------------------------------------------------
#----------------------------------------------
#region Import Assemblies
#----------------------------------------------
[void][Reflection.Assembly]::Load("System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089")
[void][Reflection.Assembly]::Load("System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089")
[void][Reflection.Assembly]::Load("System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a")
[void][Reflection.Assembly]::Load("mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089")
[void][Reflection.Assembly]::Load("System.Data, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089")
[void][Reflection.Assembly]::Load("System.Xml, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089")
[void][Reflection.Assembly]::Load("System.DirectoryServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a")
#endregion Import Assemblies
#Define a Param block to use custom parameters in the project
#Param ($CustomParameter)
function Main {
Param ([String]$Commandline)
#Note: This function starts the application
#Note: $Commandline contains the complete argument string passed to the packager
#Note: $Args contains the parsed arguments passed to the packager (Type: System.Array)
#Note: To get the script directory in the Packager use: Split-Path $hostinvocation.MyCommand.path
#Note: To get the console output in the Packager (Windows Mode) use: $ConsoleOutput (Type: System.Collections.ArrayList)
#TODO: Initialize and add Function calls to forms
if((Call-MainForm_pff) -eq "OK")
{
}
$global:ExitCode = 0 #Set the exit code for the Packager
}
#region Call-MainForm_pff
function Call-MainForm_pff
{
#----------------------------------------------
#region Import the Assemblies
#----------------------------------------------
[void][reflection.assembly]::Load("System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089")
[void][reflection.assembly]::Load("System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089")
[void][reflection.assembly]::Load("System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a")
[void][reflection.assembly]::Load("mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089")
[void][reflection.assembly]::Load("System.Data, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089")
[void][reflection.assembly]::Load("System.Xml, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089")
[void][reflection.assembly]::Load("System.DirectoryServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a")
#endregion Import Assemblies
#----------------------------------------------
#region Generated Form Objects
#----------------------------------------------
[System.Windows.Forms.Application]::EnableVisualStyles()
$MainForm = New-Object System.Windows.Forms.Form
$buttonBuild = New-Object System.Windows.Forms.Button
$buttonHelp = New-Object System.Windows.Forms.Button
$labelNotify = New-Object System.Windows.Forms.Label
$groupboxStep2 = New-Object System.Windows.Forms.GroupBox
$labelGroups = New-Object System.Windows.Forms.Label
$textboxGroups = New-Object System.Windows.Forms.TextBox
$groupboxIPSelection = New-Object System.Windows.Forms.GroupBox
$labelIPExplanation = New-Object System.Windows.Forms.Label
$labelRangeEndNotify = New-Object System.Windows.Forms.Label
$labelRangeBeginNotify = New-Object System.Windows.Forms.Label
$labelIPNotify = New-Object System.Windows.Forms.Label
$labelRangeHyphen = New-Object System.Windows.Forms.Label
$label9 = New-Object System.Windows.Forms.Label
$label8 = New-Object System.Windows.Forms.Label
$label7 = New-Object System.Windows.Forms.Label
$label6 = New-Object System.Windows.Forms.Label
$label5 = New-Object System.Windows.Forms.Label
$label4 = New-Object System.Windows.Forms.Label
$label3 = New-Object System.Windows.Forms.Label
$label2 = New-Object System.Windows.Forms.Label
$label1 = New-Object System.Windows.Forms.Label
$RangeOct8 = New-Object System.Windows.Forms.TextBox
$RangeOct7 = New-Object System.Windows.Forms.TextBox
$RangeOct6 = New-Object System.Windows.Forms.TextBox
$RangeOct5 = New-Object System.Windows.Forms.TextBox
$RangeOct4 = New-Object System.Windows.Forms.TextBox
$RangeOct3 = New-Object System.Windows.Forms.TextBox
$RangeOct2 = New-Object System.Windows.Forms.TextBox
$RangeOct1 = New-Object System.Windows.Forms.TextBox
$IPOct4 = New-Object System.Windows.Forms.TextBox
$IPOct3 = New-Object System.Windows.Forms.TextBox
$IPOct2 = New-Object System.Windows.Forms.TextBox
$IPOct1 = New-Object System.Windows.Forms.TextBox
$radiobuttonIPRange = New-Object System.Windows.Forms.RadioButton
$radiobuttonSingleIP = New-Object System.Windows.Forms.RadioButton
$radiobuttonBlockOnlyOutlook = New-Object System.Windows.Forms.RadioButton
$labelChooseOneOfTheExampl = New-Object System.Windows.Forms.Label
$radiobuttonBlockExceptEAS = New-Object System.Windows.Forms.RadioButton
$radiobuttonBlockExceptBrowser = New-Object System.Windows.Forms.RadioButton
$radiobuttonBlockAll = New-Object System.Windows.Forms.RadioButton
$radiobuttonBlockGroups = New-Object System.Windows.Forms.RadioButton
$groupboxStep1 = New-Object System.Windows.Forms.GroupBox
$labelClaimTypesNotify = New-Object System.Windows.Forms.Label
$labelAfterTheUpdateRollup = New-Object System.Windows.Forms.Label
$buttonCreateClaimTypeRules = New-Object System.Windows.Forms.Button
$InitialFormWindowState = New-Object System.Windows.Forms.FormWindowState
#endregion Generated Form Objects
#----------------------------------------------
# User Generated Script
#----------------------------------------------
$OnLoadFormEvent={
#Set vars
$Global:ErrorActionPreference = "SilentlyContinue"
$Global:IPisValid = $false
$Global:RangeBeginIsValid = $false
$Global:RangeEndIsValid = $false
$Global:IP = "1000.1000.1000.1000"
$Global:RangeBeginIP = "1000.1000.1000.1000"
$Global:RangeEndIP = "1000.1000.1000.1000"
$StopHere = $false
$Global:ClaimRuleLanguage = @"
@RuleName = "Permit Access to All Users"
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");
@RuleName = "Block all external access to Office 365"
exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) &&
NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip",
Value=~"customer-provided public ip address regex"])
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");
"@
#Initialize UI
$radiobuttonBlockAll.Checked = $true
$radiobuttonSingleIP.Checked = $true
$RangeOct1.Enabled = $false
$RangeOct2.Enabled = $false
$RangeOct3.Enabled = $false
$RangeOct4.Enabled = $false
$RangeOct5.Enabled = $false
$RangeOct6.Enabled = $false
$RangeOct7.Enabled = $false
$RangeOct8.Enabled = $false
$IPOct1.Enabled = $true
$IPOct2.Enabled = $true
$IPOct3.Enabled = $true
$IPOct4.Enabled = $true
$groupboxStep2.Enabled = $false
$labelNotify.Visible = $false
$labelGroups.Visible = $false
$textboxGroups.Visible = $false
$buttonBuild.Enabled = $false
#Check to make sure this is an AD FS 2.0 server
$IsADFS = Get-Service ADFSSRV
If (!$IsADFS)
{
$StopHere = $true
$labelNotify.Visible = $true
$labelNotify.ForeColor = "Red"
$labelNotify.Text = " The AD FS 2.0 Windows service was not found on this machine. "
$groupboxStep1.Enabled = $false
$groupboxStep2.Enabled = $false
$buttonBuild.Enabled = $false
}
#Check to make sure the AD FS 2.0 Windows service is running
If (($IsADFS.Status -ne "Running") -and (!$StopHere))
{
$StopHere = $true
$labelNotify.Visible = $true
$labelNotify.ForeColor = "Red"
$labelNotify.Text = " AD FS 2.0 is not running. "
$groupboxStep1.Enabled = $false
$groupboxStep2.Enabled = $false
$buttonBuild.Enabled = $false
}
#Check if the AD FS 2.0 MMC is open
$ADFSMMC = Get-Process | Where {(($_.MainWindowTitle -eq "AD FS 2.0") -and ($_.Name -eq "mmc"))}
If (($ADFSMMC.GetType().Name -eq "Process") -and (!$StopHere))
{
$StopHere = $true
$labelNotify.Visible = $true
$labelNotify.ForeColor = "Red"
$labelNotify.Text = " Please close the AD FS 2.0 MMC console. "
$groupboxStep1.Enabled = $false
$groupboxStep2.Enabled = $false
$buttonBuild.Enabled = $false
}
#Add the AD FS 2.0 PSH snap-in
#check for Vista, 7, or 8
$OSVersion = [System.Environment]::OSVersion.Version
If (($OSVersion.Major -eq 6) -and ($OSVersion.Minor -eq 2))
{
#this is win8 and AD FS 2.1 is a server role
#import the AD FS 2.1 module
Import-Module ADFS -ErrorAction SilentlyContinue
If ((!((Get-Module ADFS).Name)) -and (!$StopHere))
{
$StopHere = $true
$labelNotify.Visible = $true
$labelNotify.ForeColor = "Red"
$labelNotify.Text = " AD FS 2.0 PowerShell failed to load. "
$groupboxStep1.Enabled = $false
$groupboxStep2.Enabled = $false
$buttonBuild.Enabled = $false
}
}
Else
{
#this is win vista or 7 and AD FS 2.0 is an installed product
#add the AD FS 2.0 snap-in
Add-PsSnapin Microsoft.Adfs.Powershell -ErrorAction SilentlyContinue
If ((!((Get-PSSnapin Microsoft.Adfs.Powershell).Name)) -and (!$StopHere))
{
$StopHere = $true
$labelNotify.Visible = $true
$labelNotify.ForeColor = "Red"
$labelNotify.Text = " AD FS 2.0 PowerShell failed to load. "
$groupboxStep1.Enabled = $false
$groupboxStep2.Enabled = $false
$buttonBuild.Enabled = $false
}
}
}
function Validate-IsIP ([string] $IP)
{
$IsIP = $IP -match "\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b"
If (!$IsIP)
{
$buttonBuild.Enabled = $false
}
Return $IsIP
}
function IPTextChanged ()
{
#Combine texboxes into single string IP
$Global:IP = $IPOct1.Text+"."+$IPOct2.Text+"."+$IPOct3.Text+"."+$IPOct4.Text
#Call function to validate if this is a valid IP address
$Global:IPIsValid = Validate-IsIP($Global:IP)
#Change UI if this IP is valid or invalid
If ($Global:IPIsValid)
{
$labelIPNotify.Visible = $false
$buttonBuild.Enabled = $true
$labelNotify.Visible = $false
}
Else
{
$labelIPNotify.Visible = $true
$labelIPNotify.ForeColor = "Red"
$labelIPNotify.Text = " Invalid "
$labelNotify.Visible = $true
$labelNotify.ForeColor = "Red"
$labelNotify.Text = " Please enter a valid IP address "
}
}
function RangeBeginTextChanged ()
{
#Combine texboxes into single string IP
$Global:RangeBeginIP = $RangeOct1.Text+"."+$RangeOct2.Text+"."+$RangeOct3.Text+"."+$RangeOct4.Text
#Call function to validate if this is a valid IP address
$Global:RangeBeginIsValid = Validate-IsIP($Global:RangeBeginIP)
#Change UI if this IP is valid or invalid
If ($Global:RangeBeginIsValid)
{
$labelRangeBeginNotify.Visible = $false
}
Else
{
$labelRangeBeginNotify.Visible = $true
$labelRangeBeginNotify.ForeColor = "Red"
$labelRangeBeginNotify.Text = " Invalid "
}
#Change UI if the beginning and the end of the range are both valid
If (($Global:RangeBeginIsValid) -and ($Global:RangeEndIsValid))
{
$buttonBuild.Enabled = $true
$labelNotify.Visible = $false
}
Else
{
$labelNotify.Visible = $true
$labelNotify.ForeColor = "Red"
$labelNotify.Text = " Please enter a valid IP address "
}
}
function RangeEndTextChanged ()
{
#Combine texboxes into single string IP
$Global:RangeEndIP = $RangeOct5.Text+"."+$RangeOct6.Text+"."+$RangeOct7.Text+"."+$RangeOct8.Text
#Call function to validate if this is a valid IP address
$Global:RangeEndIsValid = Validate-IsIP($Global:RangeEndIP)
#Change UI if this IP is valid or invalid
If ($Global:RangeEndIsValid)
{
$labelRangeEndNotify.Visible = $false
}
Else
{
$labelRangeEndNotify.Visible = $true
$labelRangeEndNotify.ForeColor = "Red"
$labelRangeEndNotify.Text = " Invalid "
}
#Change UI if the beginning and the end of the range are both valid
If (($Global:RangeBeginIsValid) -and ($Global:RangeEndIsValid))
{
$buttonBuild.Enabled = $true
$labelNotify.Visible = $false
}
Else
{
$labelNotify.Visible = $true
$labelNotify.ForeColor = "Red"
$labelNotify.Text = " Please enter a valid IP address "
}
}
function BuildIPRegEx ([string] $IPType, [string] $IP, [string] $EndRangeIP)
{
If ($IPType -eq "Single")
{
$IPArray = $IP.Split(".")
$RegEx = "\b"+$IPArray[0]+"\."+$IPArray[1]+"\."+$IPArray[2]+"\."+$IPArray[3]+"\b"
}
ElseIf ($IPType -eq "Range")
{
$RangeIPBeginArray = $IP.Split(".")
$RangeIPEndArray = $EndRangeIP.Split(".")
$RegEx = "\b"+$RangeIPBeginArray[0]+"\."+$RangeIPBeginArray[1]+"\."+$RangeIPBeginArray[2]+"\."+$RangeIPBeginArray[3]+"\b"
$Iterations = ([int]$RangeIPEndArray[3] - [int]$RangeIPBeginArray[3])
For ($i=1; $i -le $Iterations; $i++)
{
$NewEnding = ([int]$RangeIPBeginArray[3] + $i)
$RegEx = $RegEx + "|\b"+$RangeIPEndArray[0]+"\."+$RangeIPEndArray[1]+"\."+$RangeIPEndArray[2]+"\."+$NewEnding+"\b"
}
}
Else
{
$labelNotify.Visible = $true
$labelNotify.ForeColor = "Red"
$labelNotify.Text = " Invalid IP type selected. "
}
Return $RegEx
}
function ConvertGroupsToSIDs ([string] $GroupString)
{
If ($GroupString -match ",")
{
$GroupArray = $GroupString.Split(",")
$Iterations = ($GroupArray.Count -1)
$FirstGroup = (New-Object system.security.principal.NtAccount($GroupArray[0].Trim())).translate([system.security.principal.securityidentifier])
If (!$?)
{
$FirstGroup = "FAIL"
}
$ConvertedGroups = "\b"+$FirstGroup+"\b"
For ($i=1; $i -le $Iterations; $i++)
{
$CurrentGroup = (New-Object system.security.principal.NtAccount($GroupArray[$i].Trim())).translate([system.security.principal.securityidentifier])
If (!$?)
{
$CurrentGroup = "FAIL"
}
$ConvertedGroups = $ConvertedGroups+"|\b"+$CurrentGroup+"\b"
}
}
Else
{
$GroupString = $GroupString.Trim()
$ConvertedGroups = (New-Object system.security.principal.NtAccount($GroupString)).translate([system.security.principal.securityidentifier])
If (!$?)
{
$ConvertedGroups = "FAIL"
}
$ConvertedGroups = "\b"+$ConvertedGroups+"\b"
}
Return $ConvertedGroups
}
#region Control Helper Functions
function Load-ListBox
{
<#
.SYNOPSIS
This functions helps you load items into a ListBox.
.DESCRIPTION
Use this function to dynamically load items into the ListBox control.
.PARAMETER ListBox
The ListBox control you want to add items to.
.PARAMETER Items
The object or objects you wish to load into the ListBox's Items collection.
.PARAMETER DisplayMember
Indicates the property to display for the items in this control.
.PARAMETER Append
Adds the item(s) to the ListBox without clearing the Items collection.
.EXAMPLE
Load-ListBox $ListBox1 "Red", "White", "Blue"
.EXAMPLE
Load-ListBox $listBox1 "Red" -Append
Load-ListBox $listBox1 "White" -Append
Load-ListBox $listBox1 "Blue" -Append
.EXAMPLE
Load-ListBox $listBox1 (Get-Process) "ProcessName"
#>
Param (
[Parameter(Mandatory=$true)]
[System.Windows.Forms.ListBox]$listBox,
[Parameter(Mandatory=$true)]
$Items,
[Parameter(Mandatory=$false)]
[string]$DisplayMember,
[switch]$Append
)
if(-not $Append)
{
$listBox.Items.Clear()
}
if($Items -is [Array])
{
$listBox.Items.AddRange($Items)
}
else
{
$listBox.Items.Add($Items)
}
$listBox.DisplayMember = $DisplayMember
}#endregion
$buttonCreateClaimTypeRules_Click={
$buttonCreateClaimTypeRules.Enabled = $false
#Get the original set of AD CP trust rules to file
$RulesFile = "$env:TEMP\ADCP_Rules.txt"
(Get-ADFSClaimsProviderTrust -Name "Active Directory").AcceptanceTransformRules | Out-File $RulesFile
#Pull the rules into an array
$OriginalADCPTrustRules = Get-Content $RulesFile
#Loop through the array looking for any matches for existing Client Access Policy claim types
foreach ($Line in $OriginalADCPTrustRules)
{
If (($Line -match "x-ms-forwarded-client-ip") -or ($Line -match "x-ms-client-application") -or ($Line -match "x-ms-client-user-agent") -or ($Line -match "x-ms-proxy") -or ($Line -match "x-ms-endpoint-absolute-path"))
{
$RulesAlreadyExist = $true
}
}
#If the rules do not exist, create them. Else, do nothing.
If (!($RulesAlreadyExist))
{
$ClaimRuleLanguage = @"
@RuleName = "Pass through: x-ms-forwarded-client-ip"
c:[type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip"] => issue(claim = c);
"@
$ClaimRuleLanguage | Out-File $RulesFile -Append
$ClaimRuleLanguage = @"
@RuleName = "Pass through: x-ms-client-application"
c:[type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application"] => issue(claim = c);
"@
$ClaimRuleLanguage | Out-File $RulesFile -Append
$ClaimRuleLanguage = @"
@RuleName = "Pass through: x-ms-client-user-agent"
c:[type == "p://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent"] => issue(claim = c);
"@
$ClaimRuleLanguage | Out-File $RulesFile -Append
$ClaimRuleLanguage = @"
@RuleName = "Pass through: x-ms-proxy"
c:[type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"] => issue(claim = c);
"@
$ClaimRuleLanguage | Out-File $RulesFile -Append
$ClaimRuleLanguage = @"
@RuleName = "Pass through: x-ms-endpoint-absolute-path"
c:[type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path"] => issue(claim = c);
"@
$ClaimRuleLanguage | Out-File $RulesFile -Append
#Set the AD CP Trust with the new rule set
Set-ADFSClaimsProviderTrust -TargetName "Active Directory" -AcceptanceTransformRulesFile $RulesFile
If (!$?)
{
$labelClaimTypesNotify.Visible = $true
$labelClaimTypesNotify.ForeColor = "Red"
$labelClaimTypesNotify.Text = " Could not write to 'Active Directory' CP Trust. "
}
Remove-Item $RulesFile
}
Else
{
$labelClaimTypesNotify.Visible = $true
$labelClaimTypesNotify.ForeColor = "Red"
$labelClaimTypesNotify.Text = " Existing rules detected. No action taken. "
}
$groupboxStep1.Enabled = $false
$groupboxStep2.Enabled = $true
$labelNotify.Visible = $true
$labelNotify.Text = " Please enter a valid IP address "
$labelNotify.ForeColor = "Red"
}
$radiobuttonBlockAll_CheckedChanged={
If ($radiobuttonBlockAll.Checked)
{
$Global:ClaimRuleLanguage = @"
@RuleName = "Permit Access to All Users"
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");
@RuleName = "Block all external access to Office 365"
exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) &&
NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip",
Value=~"IPPlaceholder"])
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");
"@
}
}
$radiobuttonBlockExceptEAS_CheckedChanged={
If ($radiobuttonBlockExceptEAS.Checked)
{
$Global:ClaimRuleLanguage = @"
@RuleName = "Permit Access to All Users"
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");
@RuleName = "Block all external access to Office 365 except Exchange ActiveSync"
exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) &&
NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application",
Value=="Microsoft.Exchange.ActiveSync"]) &&
NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip",
Value=~"IPPlaceholder"])
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");
"@
}
}
$radiobuttonBlockExceptBrowser_CheckedChanged={
If ($radiobuttonBlockExceptBrowser.Checked)
{
$Global:ClaimRuleLanguage = @"
@RuleName = "Permit Access to All Users"
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");
@RuleName = "Block all external access to Office 365 except browser-based applications"
exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) &&
NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip",
Value=~"IPPlaceholder"]) &&
NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value == "/adfs/ls/"])
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");
"@
}
}
$radiobuttonBlockGroups_CheckedChanged={
If ($radiobuttonBlockGroups.Checked)
{
$labelGroups.Visible = $true
$textboxGroups.Visible = $true
$GroupString = $textboxGroups.Text
$Global:ClaimRuleLanguage = @"
@RuleName = "Permit Access to All Users"
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");
@RuleName = "Block all external access to Office 365 for designated Active Directory groups"
exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) &&
exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "GroupPlaceholder"]) &&
NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip",
Value=~"IPPlaceholder"])
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");
"@
}
Else
{
$labelGroups.Visible = $false
$textboxGroups.Visible = $false
}
}
$radiobuttonBlockOnlyOutlook_CheckedChanged={
If ($radiobuttonBlockOnlyOutlook.Checked)
{
$Global:ClaimRuleLanguage = @"
@RuleName = "Permit Access to All Users"
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");
@RuleName = "Block only external Outlook Clients - Exchange AutoDiscover"
exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) &&
exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application",
Value=="Microsoft.Exchange.Autodiscover"]) &&
NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip",
Value=~"IPPlaceholder"]) &&
exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value == "/adfs/services/trust/2005/usernamemixed"])
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");
@RuleName = "Block only external Outlook Clients - Exchange OAB"
exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) &&
exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application",
Value=="Microsoft.Exchange.OfflineAddressBook"]) &&
NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip",
Value=~"IPPlaceholder"]) &&
exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value == "/adfs/services/trust/2005/usernamemixed"])
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");
@RuleName = "Block only external Outlook Clients - Exchange RPC"
exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) &&
exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application",
Value=="Microsoft.Exchange.RPC"]) &&
NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip",
Value=~"IPPlaceholder"]) &&
exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value == "/adfs/services/trust/2005/usernamemixed"])
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");
@RuleName = "Block only external Outlook Clients - Exchange Web Services"
exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) &&
exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application",
Value=="Microsoft.Exchange.WebServices"]) &&
NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip",
Value=~"IPPlaceholder"]) &&
exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value == "/adfs/services/trust/2005/usernamemixed"])
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");
"@
}
}
$radiobuttonSingleIP_CheckedChanged={
If ($radiobuttonSingleIP.Checked)
{
#Enable/Disable textboxes for IP entry
$RangeOct1.Enabled = $false
$RangeOct2.Enabled = $false
$RangeOct3.Enabled = $false
$RangeOct4.Enabled = $false
$RangeOct5.Enabled = $false
$RangeOct6.Enabled = $false
$RangeOct7.Enabled = $false
$RangeOct8.Enabled = $false
$IPOct1.Enabled = $true
$IPOct2.Enabled = $true
$IPOct3.Enabled = $true
$IPOct4.Enabled = $true
#Clear error notifications
$labelNotify.Visible = $false
$labelRangeBeginNotify.Visible = $false
$labelRangeEndNotify.Visible = $false
$labelIPNotify.Visible = $false
IPTextChanged
}
}
$radiobuttonIPRange_CheckedChanged={
If ($radiobuttonIPRange.Checked)
{
#Enable/Disable texboxes for IP entry
$IPOct1.Enabled = $false
$IPOct2.Enabled = $false
$IPOct3.Enabled = $false
$IPOct4.Enabled = $false
$RangeOct1.Enabled = $true
$RangeOct2.Enabled = $true
$RangeOct3.Enabled = $true
$RangeOct4.Enabled = $true
$RangeOct5.Enabled = $false
$RangeOct6.Enabled = $false
$RangeOct7.Enabled = $false
$RangeOct8.Enabled = $true
#Clear error notifications
$labelNotify.Visible = $false
$labelRangeBeginNotify.Visible = $false
$labelRangeEndNotify.Visible = $false
$labelIPNotify.Visible = $false
RangeBeginTextChanged
RangeEndTextChanged
}
}
$buttonHelp_Click={
$buttonHelp.Enabled = $false
Start-Process -FilePath "$Env:ProgramFiles\Internet Explorer\iexplore.exe" -ArgumentList "http://technet.microsoft.com/en-us/library/hh526961(v=ws.10).aspx"
$buttonHelp.Enabled = $true
If (!$?)
{
$labelNotify.Visible = $true
$labelNotify.ForeColor = "Red"
$labelNotify.Text = " Internet Explorer failed to load Help "
}
}
$buttonBuild_Click={
$buttonBuild.Text = "Working..."
$buttonBuild.Enabled = $false
$StopHere = $false
If ($radiobuttonBlockGroups.Checked)
{
$labelGroups.Visible = $true
$textboxGroups.Visible = $true
$GroupString = $textboxGroups.Text
$ConvertedGroups = ConvertGroupsToSIDs $GroupString
If ($ConvertedGroups -match "FAIL")
{
$StopHere = $true
$labelNotify.Visible = $true
$labelNotify.ForeColor = "Red"
$labelNotify.Text = " Group to SID translation failed. Check group names. "
}
}
If (!$StopHere)
{
If ($radiobuttonSingleIP.Checked)
{
$RegEx = BuildIPRegEx "Single" $Global:IP "foo"
}
ElseIf ($radiobuttonIPRange.Checked)
{
$RegEx = BuildIPRegEx "Range" $Global:RangeBeginIP $Global:RangeEndIP
}
Else
{
$labelNotify.Visible = $true
$labelNotify.ForeColor = "Red"
$labelNotify.Text = " Invalid IP button selection. "
}
$RuleToWrite = $Global:ClaimRuleLanguage.Replace("IPPlaceholder", $RegEx)
$RuleToWrite = $RuleToWrite.Replace("GroupPlaceholder",$ConvertedGroups)
Set-AdfsRelyingPartyTrust -TargetName "Microsoft Office 365 Identity Platform" -IssuanceAuthorizationRules $RuleToWrite
If (!$?)
{
$labelNotify.Visible = $true
$labelNotify.ForeColor = "Red"
$labelNotify.Text = " Could not write to 'Microsoft Office 365 Identity Platform' RP Trust. "
}
Else
{
$labelNotify.Visible = $true
$labelNotify.ForeColor = "Green"
$labelNotify.Text = " Success! Please verify the rule(s). Click Help for more information. "
}
}
$buttonBuild.Text = "Build"
$buttonBuild.Enabled = $true
}
$IPOct1_TextChanged={
IPTextChanged
}
$IPOct2_TextChanged={
IPTextChanged
}
$IPOct3_TextChanged={
IPTextChanged
}
$IPOct4_TextChanged={
IPTextChanged
}
$RangeOct1_TextChanged={
RangeBeginTextChanged
$RangeOct5.Text = $RangeOct1.Text
}
$RangeOct2_TextChanged={
RangeBeginTextChanged
$RangeOct6.Text = $RangeOct2.Text
}
$RangeOct3_TextChanged={
RangeBeginTextChanged
$RangeOct7.Text = $RangeOct3.Text
}
$RangeOct4_TextChanged={
RangeBeginTextChanged
}
$RangeOct5_TextChanged={
RangeEndTextChanged
}
$RangeOct6_TextChanged={
RangeEndTextChanged
}
$RangeOct7_TextChanged={
RangeEndTextChanged
}
$RangeOct8_TextChanged={
#Combine texboxes into single string IP
$Global:RangeEndIP = $RangeOct5.Text+"."+$RangeOct6.Text+"."+$RangeOct7.Text+"."+$RangeOct8.Text
#Call function to validate if this is a valid IP address
$Global:RangeEndIsValid = Validate-IsIP($Global:RangeEndIP)
#Change UI if this IP is valid or invalid
If (($Global:RangeEndIsValid) -and ([int]$RangeOct8.Text -gt [int]$RangeOct4.Text))
{
$labelRangeEndNotify.Visible = $false
}
Else
{
$labelRangeEndNotify.Visible = $true
$labelRangeEndNotify.ForeColor = "Red"
$labelRangeEndNotify.Text = " Invalid "
}
#Change UI if the beginning and the end of the range are both valid
If (($Global:RangeBeginIsValid) -and ($Global:RangeEndIsValid) -and ([int]$RangeOct8.Text -gt [int]$RangeOct4.Text))
{
$buttonBuild.Enabled = $true
$labelNotify.Visible = $false
}
Else
{
$labelNotify.Visible = $true
$labelNotify.ForeColor = "Red"
$labelNotify.Text = " Please enter a valid IP address "
}
}
$textboxGroups_TextChanged={
$GroupString = $textboxGroups.Text
}
# --End User Generated Script--
#----------------------------------------------
#region Generated Events
#----------------------------------------------
$Form_StateCorrection_Load=
{
#Correct the initial state of the form to prevent the .Net maximized form issue
$MainForm.WindowState = $InitialFormWindowState
}
$Form_StoreValues_Closing=
{
#Store the control values
$script:MainForm_textboxGroups = $textboxGroups.Text
$script:MainForm_RangeOct8 = $RangeOct8.Text
$script:MainForm_RangeOct7 = $RangeOct7.Text
$script:MainForm_RangeOct6 = $RangeOct6.Text
$script:MainForm_RangeOct5 = $RangeOct5.Text
$script:MainForm_RangeOct4 = $RangeOct4.Text
$script:MainForm_RangeOct3 = $RangeOct3.Text
$script:MainForm_RangeOct2 = $RangeOct2.Text
$script:MainForm_RangeOct1 = $RangeOct1.Text
$script:MainForm_IPOct4 = $IPOct4.Text
$script:MainForm_IPOct3 = $IPOct3.Text
$script:MainForm_IPOct2 = $IPOct2.Text
$script:MainForm_IPOct1 = $IPOct1.Text
$script:MainForm_radiobuttonIPRange = $radiobuttonIPRange.Checked
$script:MainForm_radiobuttonSingleIP = $radiobuttonSingleIP.Checked
$script:MainForm_radiobuttonBlockOnlyOutlook = $radiobuttonBlockOnlyOutlook.Checked
$script:MainForm_radiobuttonBlockExceptEAS = $radiobuttonBlockExceptEAS.Checked
$script:MainForm_radiobuttonBlockExceptBrowser = $radiobuttonBlockExceptBrowser.Checked
$script:MainForm_radiobuttonBlockAll = $radiobuttonBlockAll.Checked
$script:MainForm_radiobuttonBlockGroups = $radiobuttonBlockGroups.Checked
}
$Form_Cleanup_FormClosed=
{
#Remove all event handlers from the controls
try
{
$buttonBuild.remove_Click($buttonBuild_Click)
$buttonHelp.remove_Click($buttonHelp_Click)
$textboxGroups.remove_TextChanged($textboxGroups_TextChanged)
$RangeOct8.remove_TextChanged($RangeOct8_TextChanged)
$RangeOct7.remove_TextChanged($RangeOct7_TextChanged)
$RangeOct6.remove_TextChanged($RangeOct6_TextChanged)
$RangeOct5.remove_TextChanged($RangeOct5_TextChanged)
$RangeOct4.remove_TextChanged($RangeOct4_TextChanged)
$RangeOct3.remove_TextChanged($RangeOct3_TextChanged)
$RangeOct2.remove_TextChanged($RangeOct2_TextChanged)
$RangeOct1.remove_TextChanged($RangeOct1_TextChanged)
$IPOct4.remove_TextChanged($IPOct4_TextChanged)
$IPOct3.remove_TextChanged($IPOct3_TextChanged)
$IPOct2.remove_TextChanged($IPOct2_TextChanged)
$IPOct1.remove_TextChanged($IPOct1_TextChanged)
$radiobuttonIPRange.remove_CheckedChanged($radiobuttonIPRange_CheckedChanged)
$radiobuttonSingleIP.remove_CheckedChanged($radiobuttonSingleIP_CheckedChanged)
$radiobuttonBlockOnlyOutlook.remove_CheckedChanged($radiobuttonBlockOnlyOutlook_CheckedChanged)
$radiobuttonBlockExceptEAS.remove_CheckedChanged($radiobuttonBlockExceptEAS_CheckedChanged)
$radiobuttonBlockExceptBrowser.remove_CheckedChanged($radiobuttonBlockExceptBrowser_CheckedChanged)
$radiobuttonBlockAll.remove_CheckedChanged($radiobuttonBlockAll_CheckedChanged)
$radiobuttonBlockGroups.remove_CheckedChanged($radiobuttonBlockGroups_CheckedChanged)
$buttonCreateClaimTypeRules.remove_Click($buttonCreateClaimTypeRules_Click)
$MainForm.remove_Load($OnLoadFormEvent)
$MainForm.remove_Load($Form_StateCorrection_Load)
$MainForm.remove_Closing($Form_StoreValues_Closing)
$MainForm.remove_FormClosed($Form_Cleanup_FormClosed)
}
catch [Exception]
{ }
}
#endregion Generated Events
#----------------------------------------------
#region Generated Form Code
#----------------------------------------------
#
# MainForm
#
$MainForm.Controls.Add($buttonBuild)
$MainForm.Controls.Add($buttonHelp)
$MainForm.Controls.Add($labelNotify)
$MainForm.Controls.Add($groupboxStep2)
$MainForm.Controls.Add($groupboxStep1)
$MainForm.ClientSize = '536, 604'
$MainForm.FormBorderStyle = 'Fixed3D'
#region Binary Data
$MainForm.Icon = [System.Convert]::FromBase64String('AAABAAEAHh4AAAEAGABoCwAAFgAAACgAAAAeAAAAPAAAAAEAGAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAD//////////v7+///+/v7+/v79/fz+/f3+/v7+/v3+/v3+/v7+/v79/f3+/v7+/v7////+
/v7////////////////////////////////////////+/v7///8AAP////////////3+/vn7+uvt
7uLj5eLj5eLj5OLi5eLh5OLg5uHg5ePg5O7r5/b29f7+/v//////////////////////////////
//////////////////7+/gAA///////////////+ttH3Qoj0Q4juQ4ntQ4rsRYvrRojrSIbqSILp
S4Dogp7a2dja+Pj4/////v77/Pr1+Pbx+Pbx+PXx+PXx+Pbx+PXx9/Xx+fn5////////AAD/////
/////v7///+VvfcAX/4AZ/8AZv8AZ/4Aaf8Aaf4AY/4AXv4AW/0WYPSjtNby8vH+/v3W2+2UpOKQ
od2RpN6PqduOrd2NrdyOr9yYrdve3d7Y2Njk5OQAAP////////7//////5i+9gBh/yV08Wyc7Hur
9nys+Hys93ys+Hyo9wdi+gdh+JKt2PHy79Tc+AI++gBF/wBH/gBK/gBN/QBQ/ABT/ABW/B178MzH
y4eHh8HBwQAA////////////////l772AGf/Sonn397g///7///+///+///+///9I3b7BGj5k67X
9/Tufpv4AD3+F1T2M2X4N2r8OGn8Omv8KF/7Ak39HnLv0c3Qt7e22NjYAAD////////+//////+X
v/UAbv9IjOna3OP8/Pz//////v////////4hePsDbfqTsNj29O99ofkAPf9rht/t6eT///r///z/
//u3xPYGTP0eb+7Z1Nj///7///8AAP///////////////5nC9AB3/0qP6tvd5Pz8/P//////////
/////iJ3+wJr+pGw2Pbz74Gp+QBF/22K3+vp5/7+/v///////7bE+QZL/h5p79nV1/v6+v///wAA
///////////+////nMX1AH7/SpPq3d7l/Pz8////////////////I3b7AWf7ka7Z9vTvhbD5AE7/
bo3g6+ro/v7+////////tcP5BUr+G2Pw2tbX+vr6////AAD//////////v////6eyvQAhv9Ll+ra
3OH49/X7+vj6+fj6+fj//vtIi/kBYfqUsN338++HtvkAVPuGouj08/P+/fz8/Pv///qzwfUFSv0b
W/HZ19b6+vr///8AAP///////////////6HM8wCP/zaS752236zC5qzC5qnB5cPO3+jm5OHo9EmK
96C76/z59Ym7+FmT9OXp8f779szU7MDI4sXK34WZ6ARL/BpS9NrY2Pr6+f///wAA////////////
///+rdL1AJf8BJD7E435FIr5E4b4EYL5IoXyrsHW6ebi3ej14ev4/f780+b56vH5///4jK/zImz4
H2X0IF/0FFH2AEj8HVDz7Onj/f38////AAD////////////////2+v1SrfYOmvgQl/kKkfsGifsA
gvsAevwKe/fB0+n7+vf+/v7+/v7+/v7///2cw/gVbvsDYvwAWfwATvwAQ/sFQPmptvD9/Pb/////
//8AAP////7+/v////7+/v///v//+/X1+fHz+fPz+fLz+fLy+fHy+PHy+e7z+f39/P7+/v////7/
//v9/fH2+u/z9/Dy9u/y9u/x9+/x9/379v7/+/3+/f////7+/gAA///+/////v7////88PH05ebv
5ebt5Obt5Obu5ebt5eXs4+Tr4ePq4OXt9/f3/v7+///////++f397PH34eTq293k2tzj29zj3d3j
6+nk9fX2/v7+////////AAD+//////7///2p0vZFqvc8p/Y8p/U8p/U8pfU9pvQ+pvQ/qPIzpfKe
y+r8+Pb+/v7+/v7+//73+/yIufc7hvI5ge86fe87eO47cu17l9vi4Nz7+/v////+/v4AAP//////
/unx+iSo+gGi/QCn/wCq/wCq/gCl/gCh/gCa/wCS/Wm99PDy9Pz6+Pb08/n5+f37+/j39ebv+TSK
+gBl/QBb/wBT/wBM/Q1U+NjWz/j4+P///////wAA///+////2Or6Frj+Abv9O731b873b9H7b9H6
b876bMr6kdP59/r4+fv5qtXzq83m+vf0i8r4stLm7uzq7fT6w9r5xNn3lbj1E2X8BVr82NXP+Pj3
////////AAD+///////Y7PsWy/0Fz/yg1uv//Pb///////7///////7///7//v2r3PcQmfiZw+P7
9vN6yvoQovW0zd/49vT///7///7N4PscdvwEZf3Y0874+Pf///////8AAP///////9ju+hrZ/g3c
/prX6v/5+P////////////////7////+/Qqw+gOa+p3E5Pv283vO+gCj/nm76Pbz8f///////8nh
/BqB/QRv/dnTz/j49////////wAA////////2PD7JeD9GOH+mtjq/vn4////////////////////
///+ALn9Baf7nsfl/Pf0gtX6AKz/fL7o8+/s+vn3/fr3xt73Goz8Anj92NTO+Pj3////////AAD/
///////Z7/st5P4j5/2c2ev++Pj//////////////////////v4AxvwFs/yey+X89/aJ2foAtP5b
seewxN6wxuGvyOCJuuQTk/oBgv7Y1M74+Pf///////8AAP///////9fx+kDq/Sns/Z7a6/759///
///////////////////+/QDO/QW9+5/O5/v39Zfg+QC//AC5/wCw/wCr/wCk/wCe/wCa/wCN/t7Z
1Pn5+P///////wAA////////1/H7U+79J+/+ndrq/fj2/v7+/v7+/v7+/v7+/v7+//z8AdL9BcX7
n8/m+PX14PT7bdf5V9H6Vc37Ucr6TcX6TMH7TLz6S7X79PHu/Pz8/////v7+AAD////////W8Pth
8fwn8f6g1OT66OX67ev67ez57Ov57Ov67ev66+oC1f4Fyvue0ef29fX////1+/3v+fzw+P3v+P3u
+P3v+P3u+P3v+P3+/v7+/v7///////8AAP///////9bw+2ry/STz/i7h+Dnh+Trk+Tjj+Tjj+Tbh
+DXe+CrY+Q3d/wbL/KDU6vn39////////v///v////////////////////////////////7+/v//
/wAA////////1fD6dPD8M/L+NfX9Nvb9M/X+LPX9J/L9Je39I+n9F+P9Dtv+Js/6xOPx/fz8////
////////////////////////////////////////////////AAD///////7l9vu67vq37/y28Pux
8Pup7/ud7/uP7fyG6/yF6fuA5vt94vm86fj9+/v+/v7+/v7/////////////////////////////
//////////////////8AAP/+//7+/v///v///v///v///v///v///v///v///v///v///v///v//
/f///v7+/v7+/v///////////////////////////////////////////////////wAA/v/+//7/
////////////////////////////////////////////////////////////////////////////
////////////////////////////////////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=')
#endregion
$MainForm.Name = "MainForm"
$MainForm.StartPosition = 'CenterScreen'
$MainForm.Text = "Office 365 - Client Access Policy Builder"
$MainForm.add_Load($OnLoadFormEvent)
#
# buttonBuild
#
$buttonBuild.Location = '476, 572'
$buttonBuild.Name = "buttonBuild"
$buttonBuild.Size = '50, 23'
$buttonBuild.TabIndex = 23
$buttonBuild.Text = "Build"
$buttonBuild.UseVisualStyleBackColor = $True
$buttonBuild.add_Click($buttonBuild_Click)
#
# buttonHelp
#
$buttonHelp.Location = '420, 572'
$buttonHelp.Name = "buttonHelp"
$buttonHelp.Size = '50, 23'
$buttonHelp.TabIndex = 24
$buttonHelp.Text = "Help"
$buttonHelp.UseVisualStyleBackColor = $True
$buttonHelp.add_Click($buttonHelp_Click)
#
# labelNotify
#
$labelNotify.Location = '13, 572'
$labelNotify.Name = "labelNotify"
$labelNotify.Size = '372, 23'
$labelNotify.TabIndex = 25
#
# groupboxStep2
#
$groupboxStep2.Controls.Add($labelGroups)
$groupboxStep2.Controls.Add($textboxGroups)
$groupboxStep2.Controls.Add($groupboxIPSelection)
$groupboxStep2.Controls.Add($radiobuttonBlockOnlyOutlook)
$groupboxStep2.Controls.Add($labelChooseOneOfTheExampl)
$groupboxStep2.Controls.Add($radiobuttonBlockExceptEAS)
$groupboxStep2.Controls.Add($radiobuttonBlockExceptBrowser)
$groupboxStep2.Controls.Add($radiobuttonBlockAll)
$groupboxStep2.Controls.Add($radiobuttonBlockGroups)
$groupboxStep2.Location = '13, 133'
$groupboxStep2.Name = "groupboxStep2"
$groupboxStep2.Size = '513, 431'
$groupboxStep2.TabIndex = 9
$groupboxStep2.TabStop = $False
$groupboxStep2.Text = "Step 2"
#
# labelGroups
#
$labelGroups.Location = '37, 187'
$labelGroups.Name = "labelGroups"
$labelGroups.Size = '161, 23'
$labelGroups.TabIndex = 12
$labelGroups.Text = "Separate groups with commas:"
#
# textboxGroups
#
$textboxGroups.Location = '220, 184'
$textboxGroups.Name = "textboxGroups"
$textboxGroups.Size = '159, 20'
$textboxGroups.TabIndex = 11
$textboxGroups.Text = "domain\group1, domain\group2"
$textboxGroups.add_TextChanged($textboxGroups_TextChanged)
#
# groupboxIPSelection
#
$groupboxIPSelection.Controls.Add($labelIPExplanation)
$groupboxIPSelection.Controls.Add($labelRangeEndNotify)
$groupboxIPSelection.Controls.Add($labelRangeBeginNotify)
$groupboxIPSelection.Controls.Add($labelIPNotify)
$groupboxIPSelection.Controls.Add($labelRangeHyphen)
$groupboxIPSelection.Controls.Add($label9)
$groupboxIPSelection.Controls.Add($label8)
$groupboxIPSelection.Controls.Add($label7)
$groupboxIPSelection.Controls.Add($label6)
$groupboxIPSelection.Controls.Add($label5)
$groupboxIPSelection.Controls.Add($label4)
$groupboxIPSelection.Controls.Add($label3)
$groupboxIPSelection.Controls.Add($label2)
$groupboxIPSelection.Controls.Add($label1)
$groupboxIPSelection.Controls.Add($RangeOct8)
$groupboxIPSelection.Controls.Add($RangeOct7)
$groupboxIPSelection.Controls.Add($RangeOct6)
$groupboxIPSelection.Controls.Add($RangeOct5)
$groupboxIPSelection.Controls.Add($RangeOct4)
$groupboxIPSelection.Controls.Add($RangeOct3)
$groupboxIPSelection.Controls.Add($RangeOct2)
$groupboxIPSelection.Controls.Add($RangeOct1)
$groupboxIPSelection.Controls.Add($IPOct4)
$groupboxIPSelection.Controls.Add($IPOct3)
$groupboxIPSelection.Controls.Add($IPOct2)
$groupboxIPSelection.Controls.Add($IPOct1)
$groupboxIPSelection.Controls.Add($radiobuttonIPRange)
$groupboxIPSelection.Controls.Add($radiobuttonSingleIP)
$groupboxIPSelection.Location = '7, 241'
$groupboxIPSelection.Name = "groupboxIPSelection"
$groupboxIPSelection.Size = '496, 183'
$groupboxIPSelection.TabIndex = 10
$groupboxIPSelection.TabStop = $False
$groupboxIPSelection.Text = "IP Selection"
#
# labelIPExplanation
#
$labelIPExplanation.Location = '7, 115'
$labelIPExplanation.Name = "labelIPExplanation"
$labelIPExplanation.Size = '483, 65'
$labelIPExplanation.TabIndex = 27
$labelIPExplanation.Text = "The x-ms-forwarded-client-ip claim is populated from an HTTP header that is currently set only by Exchange Online, which populates the header when passing the authentication request to AD FS. The value of the claim may be a single IPV4 address or a IPV4 address range. Currently, this tool allows only a range in the last octet of the IPV4 address. For more information, click Help."
#
# labelRangeEndNotify
#
$labelRangeEndNotify.Location = '379, 83'
$labelRangeEndNotify.Name = "labelRangeEndNotify"
$labelRangeEndNotify.Size = '111, 23'
$labelRangeEndNotify.TabIndex = 26
#
# labelRangeBeginNotify
#
$labelRangeBeginNotify.Location = '391, 58'
$labelRangeBeginNotify.Name = "labelRangeBeginNotify"
$labelRangeBeginNotify.Size = '99, 23'
$labelRangeBeginNotify.TabIndex = 25
#
# labelIPNotify
#
$labelIPNotify.Location = '378, 25'
$labelIPNotify.Name = "labelIPNotify"
$labelIPNotify.Size = '111, 23'
$labelIPNotify.TabIndex = 24
#
# labelRangeHyphen
#
$labelRangeHyphen.Font = "Microsoft Sans Serif, 14pt"
$labelRangeHyphen.Location = '378, 50'
$labelRangeHyphen.Name = "labelRangeHyphen"
$labelRangeHyphen.Size = '47, 23'
$labelRangeHyphen.TabIndex = 23
$labelRangeHyphen.Text = "-"
#
# label9
#
$label9.Location = '323, 80'
$label9.Name = "label9"
$label9.Size = '10, 23'
$label9.TabIndex = 22
$label9.Text = "."
#
# label8
#
$label8.Location = '213, 80'
$label8.Name = "label8"
$label8.Size = '10, 23'
$label8.TabIndex = 21
$label8.Text = "."
#
# label7
#
$label7.Location = '324, 55'
$label7.Name = "label7"
$label7.Size = '10, 23'
$label7.TabIndex = 20
$label7.Text = "."
#
# label6
#
$label6.Location = '269, 55'
$label6.Name = "label6"
$label6.Size = '10, 23'
$label6.TabIndex = 19
$label6.Text = "."
#
# label5
#
$label5.Location = '268, 80'
$label5.Name = "label5"
$label5.Size = '10, 23'
$label5.TabIndex = 18
$label5.Text = "."
#
# label4
#
$label4.Location = '214, 55'
$label4.Name = "label4"
$label4.Size = '10, 23'
$label4.TabIndex = 17
$label4.Text = "."
#
# label3
#
$label3.Location = '323, 22'
$label3.Name = "label3"
$label3.Size = '10, 23'
$label3.TabIndex = 16
$label3.Text = "."
#
# label2
#
$label2.Location = '268, 22'
$label2.Name = "label2"
$label2.Size = '10, 23'
$label2.TabIndex = 15
$label2.Text = "."
#
# label1
#
$label1.Location = '214, 22'
$label1.Name = "label1"
$label1.Size = '10, 23'
$label1.TabIndex = 14
$label1.Text = "."
#
# RangeOct8
#
$RangeOct8.Location = '339, 80'
$RangeOct8.Name = "RangeOct8"
$RangeOct8.Size = '33, 20'
$RangeOct8.TabIndex = 13
$RangeOct8.add_TextChanged($RangeOct8_TextChanged)
#
# RangeOct7
#
$RangeOct7.Location = '284, 80'
$RangeOct7.Name = "RangeOct7"
$RangeOct7.Size = '33, 20'
$RangeOct7.TabIndex = 12
$RangeOct7.add_TextChanged($RangeOct7_TextChanged)
#
# RangeOct6
#
$RangeOct6.Location = '229, 80'
$RangeOct6.Name = "RangeOct6"
$RangeOct6.Size = '33, 20'
$RangeOct6.TabIndex = 11
$RangeOct6.add_TextChanged($RangeOct6_TextChanged)
#
# RangeOct5
#
$RangeOct5.Location = '175, 80'
$RangeOct5.Name = "RangeOct5"
$RangeOct5.Size = '33, 20'
$RangeOct5.TabIndex = 10
$RangeOct5.add_TextChanged($RangeOct5_TextChanged)
#
# RangeOct4
#
$RangeOct4.Location = '339, 54'
$RangeOct4.Name = "RangeOct4"
$RangeOct4.Size = '33, 20'
$RangeOct4.TabIndex = 9
$RangeOct4.add_TextChanged($RangeOct4_TextChanged)
#
# RangeOct3
#
$RangeOct3.Location = '284, 55'
$RangeOct3.Name = "RangeOct3"
$RangeOct3.Size = '33, 20'
$RangeOct3.TabIndex = 8
$RangeOct3.add_TextChanged($RangeOct3_TextChanged)
#
# RangeOct2
#
$RangeOct2.Location = '229, 55'
$RangeOct2.Name = "RangeOct2"
$RangeOct2.Size = '33, 20'
$RangeOct2.TabIndex = 7
$RangeOct2.add_TextChanged($RangeOct2_TextChanged)
#
# RangeOct1
#
$RangeOct1.Location = '175, 55'
$RangeOct1.Name = "RangeOct1"
$RangeOct1.Size = '33, 20'
$RangeOct1.TabIndex = 6
$RangeOct1.add_TextChanged($RangeOct1_TextChanged)
#
# IPOct4
#
$IPOct4.Location = '339, 23'
$IPOct4.Name = "IPOct4"
$IPOct4.Size = '33, 20'
$IPOct4.TabIndex = 5
$IPOct4.add_TextChanged($IPOct4_TextChanged)
#
# IPOct3
#
$IPOct3.Location = '284, 22'
$IPOct3.Name = "IPOct3"
$IPOct3.Size = '33, 20'
$IPOct3.TabIndex = 4
$IPOct3.add_TextChanged($IPOct3_TextChanged)
#
# IPOct2
#
$IPOct2.Location = '229, 22'
$IPOct2.Name = "IPOct2"
$IPOct2.Size = '33, 20'
$IPOct2.TabIndex = 3
$IPOct2.add_TextChanged($IPOct2_TextChanged)
#
# IPOct1
#
$IPOct1.Location = '175, 22'
$IPOct1.Name = "IPOct1"
$IPOct1.Size = '33, 20'
$IPOct1.TabIndex = 2
$IPOct1.add_TextChanged($IPOct1_TextChanged)
#
# radiobuttonIPRange
#
$radiobuttonIPRange.Location = '7, 51'
$radiobuttonIPRange.Name = "radiobuttonIPRange"
$radiobuttonIPRange.Size = '160, 24'
$radiobuttonIPRange.TabIndex = 1
$radiobuttonIPRange.TabStop = $True
$radiobuttonIPRange.Text = "External IP address range"
$radiobuttonIPRange.UseVisualStyleBackColor = $True
$radiobuttonIPRange.add_CheckedChanged($radiobuttonIPRange_CheckedChanged)
#
# radiobuttonSingleIP
#
$radiobuttonSingleIP.Location = '7, 20'
$radiobuttonSingleIP.Name = "radiobuttonSingleIP"
$radiobuttonSingleIP.Size = '160, 24'
$radiobuttonSingleIP.TabIndex = 0
$radiobuttonSingleIP.TabStop = $True
$radiobuttonSingleIP.Text = "Single external IP address"
$radiobuttonSingleIP.UseVisualStyleBackColor = $True
$radiobuttonSingleIP.add_CheckedChanged($radiobuttonSingleIP_CheckedChanged)
#
# radiobuttonBlockOnlyOutlook
#
$radiobuttonBlockOnlyOutlook.Location = '7, 210'
$radiobuttonBlockOnlyOutlook.Name = "radiobuttonBlockOnlyOutlook"
$radiobuttonBlockOnlyOutlook.Size = '489, 24'
$radiobuttonBlockOnlyOutlook.TabIndex = 9
$radiobuttonBlockOnlyOutlook.TabStop = $True
$radiobuttonBlockOnlyOutlook.Text = "Block only external Outlook clients"
$radiobuttonBlockOnlyOutlook.UseVisualStyleBackColor = $True
$radiobuttonBlockOnlyOutlook.add_CheckedChanged($radiobuttonBlockOnlyOutlook_CheckedChanged)
#
# labelChooseOneOfTheExampl
#
$labelChooseOneOfTheExampl.Location = '7, 20'
$labelChooseOneOfTheExampl.Name = "labelChooseOneOfTheExampl"
$labelChooseOneOfTheExampl.Size = '497, 44'
$labelChooseOneOfTheExampl.TabIndex = 8
$labelChooseOneOfTheExampl.Text = "Choose one of the example scenarios below to configure the claim rules on the Microsoft Office 365 Identity Platform relying party trust that best meets the needs of your organization, enter an external IP address or external IP address range, and click the Build button."
#
# radiobuttonBlockExceptEAS
#
$radiobuttonBlockExceptEAS.Location = '7, 97'
$radiobuttonBlockExceptEAS.Name = "radiobuttonBlockExceptEAS"
$radiobuttonBlockExceptEAS.Size = '489, 33'
$radiobuttonBlockExceptEAS.TabIndex = 5
$radiobuttonBlockExceptEAS.TabStop = $True
$radiobuttonBlockExceptEAS.Text = "Block all external access to Office 365, except Exchange ActiveSync"
$radiobuttonBlockExceptEAS.UseVisualStyleBackColor = $True
$radiobuttonBlockExceptEAS.add_CheckedChanged($radiobuttonBlockExceptEAS_CheckedChanged)
#
# radiobuttonBlockExceptBrowser
#
$radiobuttonBlockExceptBrowser.Location = '7, 127'
$radiobuttonBlockExceptBrowser.Name = "radiobuttonBlockExceptBrowser"
$radiobuttonBlockExceptBrowser.Size = '489, 35'
$radiobuttonBlockExceptBrowser.TabIndex = 6
$radiobuttonBlockExceptBrowser.TabStop = $True
$radiobuttonBlockExceptBrowser.Text = "Block all external access to Office 365, except for browser-based applications such as Outlook Web Access or SharePoint Online"
$radiobuttonBlockExceptBrowser.UseVisualStyleBackColor = $True
$radiobuttonBlockExceptBrowser.add_CheckedChanged($radiobuttonBlockExceptBrowser_CheckedChanged)
#
# radiobuttonBlockAll
#
$radiobuttonBlockAll.Location = '7, 67'
$radiobuttonBlockAll.Name = "radiobuttonBlockAll"
$radiobuttonBlockAll.Size = '489, 24'
$radiobuttonBlockAll.TabIndex = 4
$radiobuttonBlockAll.TabStop = $True
$radiobuttonBlockAll.Text = "Block all external access to Office 365"
$radiobuttonBlockAll.UseVisualStyleBackColor = $True
$radiobuttonBlockAll.add_CheckedChanged($radiobuttonBlockAll_CheckedChanged)
#
# radiobuttonBlockGroups
#
$radiobuttonBlockGroups.Location = '7, 158'
$radiobuttonBlockGroups.Name = "radiobuttonBlockGroups"
$radiobuttonBlockGroups.Size = '489, 35'
$radiobuttonBlockGroups.TabIndex = 7
$radiobuttonBlockGroups.TabStop = $True
$radiobuttonBlockGroups.Text = "Block all external access to Office 365 for members of designated Active Directory groups"
$radiobuttonBlockGroups.UseVisualStyleBackColor = $True
$radiobuttonBlockGroups.add_CheckedChanged($radiobuttonBlockGroups_CheckedChanged)
#
# groupboxStep1
#
$groupboxStep1.Controls.Add($labelClaimTypesNotify)
$groupboxStep1.Controls.Add($labelAfterTheUpdateRollup)
$groupboxStep1.Controls.Add($buttonCreateClaimTypeRules)
$groupboxStep1.Location = '13, 13'
$groupboxStep1.Name = "groupboxStep1"
$groupboxStep1.Size = '510, 114'
$groupboxStep1.TabIndex = 8
$groupboxStep1.TabStop = $False
$groupboxStep1.Text = "Step 1"
#
# labelClaimTypesNotify
#
$labelClaimTypesNotify.Location = '181, 81'
$labelClaimTypesNotify.Name = "labelClaimTypesNotify"
$labelClaimTypesNotify.Size = '315, 23'
$labelClaimTypesNotify.TabIndex = 2
#
# labelAfterTheUpdateRollup
#
$labelAfterTheUpdateRollup.Location = '6, 16'
$labelAfterTheUpdateRollup.Name = "labelAfterTheUpdateRollup"
$labelAfterTheUpdateRollup.Size = '497, 58'
$labelAfterTheUpdateRollup.TabIndex = 1
$labelAfterTheUpdateRollup.Text = "After the Update Rollup 1 for Active Directory Federation Services (AD FS) 2.0 package has been installed on all federation servers and federation server proxies, and the AD FS Windows service has been restarted, use the following button to add a set of claim rules that make the new claim types available to the policy engine."
#
# buttonCreateClaimTypeRules
#
$buttonCreateClaimTypeRules.Location = '6, 81'
$buttonCreateClaimTypeRules.Name = "buttonCreateClaimTypeRules"
$buttonCreateClaimTypeRules.Size = '168, 23'
$buttonCreateClaimTypeRules.TabIndex = 0
$buttonCreateClaimTypeRules.Text = "Create Rules for Claim Types"
$buttonCreateClaimTypeRules.UseVisualStyleBackColor = $True
$buttonCreateClaimTypeRules.add_Click($buttonCreateClaimTypeRules_Click)
#endregion Generated Form Code
#----------------------------------------------
#Save the initial state of the form
$InitialFormWindowState = $MainForm.WindowState
#Init the OnLoad event to correct the initial state of the form
$MainForm.add_Load($Form_StateCorrection_Load)
#Clean up the control events
$MainForm.add_FormClosed($Form_Cleanup_FormClosed)
#Store the control values when form is closing
$MainForm.add_Closing($Form_StoreValues_Closing)
#Show the Form
return $MainForm.ShowDialog()
}
#endregion
#region Call-Global_ps1
#--------------------------------------------
# Declare Global Variables and Functions here
#--------------------------------------------
#Sample function that provides the location of the script
function Get-ScriptDirectory
{
if($hostinvocation -ne $null)
{
Split-Path $hostinvocation.MyCommand.path
}
else
{
Split-Path $script:MyInvocation.MyCommand.Path
}
}
#Sample variable that provides the location of the script
[string]$ScriptDirectory = Get-ScriptDirectory
#endregion
#Start the application
Main ($CommandLine)
运行效果如下,由于是测试环境,没有安装ADFS服务,所以无法正常使用:
|
|
QQ群⑧:
窥视卡
雷达卡
发表于 2016-11-30 08:36:59
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡