MICROSOFT 70-412: OBJECTIVE 2.2.1 – Configure user and device claim types

A claim is a unique piece of information about a user, device, or resource that has been published by a domain controller. These are very often attributes that you find if you open the properties of an object in Active Directory – things like a user’s title, department or location are claims that you can define, so is the department classification of a file, or the health state of a computer. An entity can involve more than one claim, and any combination of claims can be used to authorize access to resources. The following types of claims are available in the supported versions of Windows:

  • User claims   Active Directory attributes that are associated with a specific user.
  • Device claims   Active Directory attributes that are associated with a specific computer object.
  • Resource attributes  Global resource properties that are marked for use in authorization decisions and published in Active Directory.

Claims make it possible for administrators to make precise organization- or enterprise-wide statements about users, devices, and resources that can be incorporated in expressions, rules, and policies.

Creating a Claim:

  1. Open up the Active Directory Administrative Center. Select Dynamic Access Control from list on left:

    Microsoft 70-412 Certification Exam Blueprint Walkthrough - Dynamic Access Controls - Creating Claims

  2. Right-Click on Claim Types and select New:
    Microsoft 70-412 Certification Exam Blueprint Walkthrough - Dynamic Access Controls - Creating Claims
  3. Select the attribute you want to use for the claim – If we keep the example used when I introduced Dynamic Access Controls, we should create a claim based on the department the user works in…. Finance.
    Microsoft 70-412 Certification Exam Blueprint Walkthrough - Dynamic Access Controls - Creating Claims
  4. To keep with the scenario, I’m going to add a claim for office location (Office) and the AD VDI container:
    Microsoft 70-412 Certification Exam Blueprint Walkthrough - Dynamic Access Controls - Creating Claims
  5. ???
  6. Profit!

You would create claims to meet the business objectives for securing data- the actual attributes that you use to achieve that goal will likely be very different than what I’m using in this scenario, but I hope I’m showing you the power and flexibility afforded with setting up claims.

PowerShell:
The relevant PowerShell cmdlet for setting/reading/creating/deleting claims is ADClaimType:
Set/Get/New/Remove ADClaimType

Advertisements