BartWullems's blog is a platform for sharing insights and expertise in Microsoft technologies, software development best practices, and programming tutorials. Through articles, code samples, and technical discussions, BartWullems offers insights into building scalable, maintainable, and performant software applications using Microsoft technologies such as .NET, Azure, and Visual Studio. Readers can learn about design patterns, development techniques, and tooling recommendations to enhance their skills and productivity as Microsoft developers. Additionally, BartWullems provides updates on the latest developments in Microsoft ecosystem, community events, and industry trends to help developers stay informed and engaged in the Microsoft developer community.

The Art of Simplicity

When implementing MFA with Active Directory Federation Services (ADFS), choosing between classic authorization rules and modern access control policies significantly impacts maintainability. Authorization rules use a proprietary claim rule language, are per-trust only, and become hard to manage at scale. Access control policies, introduced in Windows Server 2016, offer reusable named policy objects with structured conditions including built-in MFA enforcement. The two mechanisms are mutually exclusive on a single relying party trust, so migration must be planned carefully. For any new MFA rollout, access control policies are the recommended approach due to their reusability, auditability, and cleaner abstraction.

ADFS policies vs authorization rules

Authorization rules: the classic approach

Access control policies: the modern approach