Forum Discussion

Brass Contributor

Nov 24, 2017

ADFS Claim Rule to detect domain joined devices

Hi there, I have a requirement to check wether a user is trying to authenticate against my ADFS farm using a domain joined device or not and dependent on that set actions. My question now is how ...

Authentication

Stephan Bisser

Brass Contributor

Nov 26, 2017

Thanks!

And how can I now implement a rule that if it is a domain joined device it should be asked for certificate based auth as a second factor and all mobile devices should go for Azure MFA?

VasilMichev

MVP

Nov 26, 2017

Look at the Additional Authentication Rules functionality for that and add a rule that will force domain joined machines to perform MFA on-premises. There is no way to enforce specific MFA method however, the user will be able to use any of the configured ones.

Stephan Bisser
Brass Contributor
Nov 26, 2017
So that means that I cannot enforce laptops to present a certificate while iPhones should go for the Azure MFA authentication at the same time?
- Pablo Ortiz Baiardo
  Copper Contributor
  Nov 26, 2017
  You shouls use the "isregistered" claims, like this:
  
  c:[Type == "http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser", Value == "false"]
  
  => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod",
  
  Value = "http://schemas.microsoft.com/claims/multipleauthn");
  
  Please check https://blogs.msdn.microsoft.com/ramical/2014/01/30/under-the-hood-tour-on-multi-factor-authentication-in-adfs-part-1-policy/
  - Stephan Bisser
    Brass Contributor
    Nov 27, 2017
    But how to tell ADFS that all Windows 10 laptops should present a certificate along with all iPhones should go for SMS or phone call provided by Azure MFA?