Forum Discussion

Stephan Bisser's avatar
Stephan Bisser
Brass Contributor
Nov 24, 2017

ADFS Claim Rule to detect domain joined devices

Hi there,

I have a requirement to check wether a user is trying to authenticate against my ADFS farm using a domain joined device or not and dependent on that set actions.

My question now is how to check on the ADFS side if the device is domain joined or not?

 

Hope anyone can help me with this...

Authentication

8 Replies

  • VasilMichev's avatar
    VasilMichev
    MVP
    Nov 24, 2017

    The method used by Microsoft is to detect the (primary) group membership of the device and check whether it's a member of the "Domain Computers" group.  This is the claims rule they use, where the "-515" regex check is against the "well-known" objectSID of the "Domain Computers" group.

     

    @RuleName = "Issue account type for domain joined computers"
                                        c:[Type ==
                                        "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid",
                                        Value =~ "-515$", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"]
                                         => issue(Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", Value =
                                        "DJ");
    • Stephan Bisser's avatar
      Stephan Bisser
      Brass Contributor
      Nov 26, 2017

      Thanks!

      And how can I now implement a rule that if it is a domain joined device it should be asked for certificate based auth as a second factor and all mobile devices should go for Azure MFA?

      • VasilMichev's avatar
        VasilMichev
        MVP
        Nov 26, 2017

        Look at the Additional Authentication Rules functionality for that and add a rule that will force domain joined machines to perform MFA on-premises. There is no way to enforce specific MFA method however, the user will be able to use any of the configured ones.

Resources