Forum Discussion

Iron Contributor

Dec 06, 2017

Solved

Azure AD / AD FS Conditional Access - Known Devices

I've done quite a bit of searching but can't find a definitive answer to my requirement. If a device (Windows 10 PC or iOS) is unknown, because it hasn't been domain joined, hybrid joined or manag...

Azure Active Directory (AAD)

Alex Simons
Dec 06, 2017
Hi Paul -

There isn't any way to do this. Until the service knows who the user is, the conditional access system can't figure out which policy to apply as all policies apply to users or groups of users.

Regards,

Alex

Paul Bendall

Iron Contributor

Dec 06, 2017

In essence yes. I don't want users to be prompted for credentials when the device is unknown (and therefore in an unknown state). I was hoping that a claim built around isKnown would achieve this but it looks like that only kicks in after user authentication.

The reason for the requirement is avoiding users entering credentials that could be captured by a keyboard logger. If the device is not known to Azure AD the risk is higher than a device that is known and in a compliant state

Paul

Alex Simons

Copper Contributor

Dec 06, 2017

Hi Paul -

There isn't any way to do this. Until the service knows who the user is, the conditional access system can't figure out which policy to apply as all policies apply to users or groups of users.

Regards,

Alex

Paul Bendall
Iron Contributor
Dec 06, 2017
Alex Simons

Thanks for the confirmation.

Device pre-auth would be very useful as a future feature so as not to expose corporate credentials on unknown devices. For now I can probably look to do something with Azure MFA as primary / secondary auth. to overcome the security concern.

Again thanks as always

Paul