I've done quite a bit of searching but can't find a definitive answer to my requirement.
If a device (Windows 10 PC or iOS) is unknown, because it hasn't been domain joined, hybrid joined or managed. Is it possible to avoid prompting for credentials?
In my test environment Azure AD is setup with O365 and federated to an AD FS Server (2016). If I set the Conditional Access requirement in Azure AD for domain joined my expectation is the process would fail if the machine being used is not known to Azure AD.
In my testing Azure AD redirects me to my ADFS server which presents Form Based Authentication page (which I don't want). If I do enter my credentials then I get a denied but this is after user auth.
The solution I'm trying to arrive at is that a user is only prompted for credentials when the device is known. Later I'd add another condition whereby if the location is known (corporate network) then the device doesn't need to be known so that it can be onboarded.
Is my config somehow wrong, or is what I am trying to do not possible?
So you want to immediately display a "login failure" for such devices? I guess you can configure certificate-based auth as the primary factor and disable WIA/FBA on the extranet, so that devices that don't have certificate provisioned will fail immediately.
In essence yes. I don't want users to be prompted for credentials when the device is unknown (and therefore in an unknown state). I was hoping that a claim built around isKnown would achieve this but it looks like that only kicks in after user authentication.
The reason for the requirement is avoiding users entering credentials that could be captured by a keyboard logger. If the device is not known to Azure AD the risk is higher than a device that is known and in a compliant state
Device pre-auth would be very useful as a future feature so as not to expose corporate credentials on unknown devices. For now I can probably look to do something with Azure MFA as primary / secondary auth. to overcome the security concern.