Forum Discussion
ADFS Claim Rule to detect domain joined devices
The method used by Microsoft is to detect the (primary) group membership of the device and check whether it's a member of the "Domain Computers" group. This is the claims rule they use, where the "-515" regex check is against the "well-known" objectSID of the "Domain Computers" group.
@RuleName = "Issue account type for domain joined computers"
c:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid",
Value =~ "-515$", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"]
=> issue(Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", Value =
"DJ");
Thanks!
And how can I now implement a rule that if it is a domain joined device it should be asked for certificate based auth as a second factor and all mobile devices should go for Azure MFA?
Look at the Additional Authentication Rules functionality for that and add a rule that will force domain joined machines to perform MFA on-premises. There is no way to enforce specific MFA method however, the user will be able to use any of the configured ones.
So that means that I cannot enforce laptops to present a certificate while iPhones should go for the Azure MFA authentication at the same time?
You shouls use the "isregistered" claims, like this:
c:[Type == "http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser", Value == "false"]
=> issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod",
Value = "http://schemas.microsoft.com/claims/multipleauthn");
Please check https://blogs.msdn.microsoft.com/ramical/2014/01/30/under-the-hood-tour-on-multi-factor-authentication-in-adfs-part-1-policy/
