ADFS Claims depending on multiple conditions such as group membership and password expiry

In this post I will quickly demonstrate how to achieve a ADFS Claims depending on two different conditions. This specific case is about the password expiry claims that we only want to show for users that are member in a specific Active Directory group.

First we need to add an Issuance Transform Rule where we choose the Send Claims Using a Custom Rule. The main purpose of this rule is to get all groups for the current user from the Active Directory. In this scenario we named it Get all groups for user.

After the first rule we need to add a second Custom Rule.

It will check two things – first it will look for a specific group (in this scenario specified as AD GROUP but this needs to be changed to match your specific group) in the previously populated variable c. Second it will check for the passwordexpirationtime and put it in variable c1. Please note that there is a 14 days window for the passwordexpirationtime so the sent claims will only be populated if the password is expiring within 14 days. In this scenario we named the rule Pass through password expiry info to selected users.

If the AD group match and the passwordexpirationtime are populated, an expiry notification will be shown to the users for the supported applications.

So if the user logging in is a member of the group AD GROUP and the password will expire in 14 days or less, a notification will be shown as in the picture below.

Update 2019-10-31

It is possible to achieve this with just one Custom Rule, referring to Microsoft documentation.

 

If you have any questions, feel free to email me at tobias.sandberg@xenit.se or comment down below. I will try to answer you as soon as possible.

Disclaimer: All information on this blog is offered "as is" with no warranty. It is strongly recommended that you verify all information and validate all scripts in isolated test environments before using them in production environments.