SOLVED
Home

Azure AD / AD FS Conditional Access - Known Devices

%3CLINGO-SUB%20id%3D%22lingo-sub-134563%22%20slang%3D%22en-US%22%3EAzure%20AD%20%2F%20AD%20FS%20Conditional%20Access%20-%20Known%20Devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-134563%22%20slang%3D%22en-US%22%3E%3CP%3EI've%20done%20quite%20a%20bit%20of%20searching%20but%20can't%20find%20a%20definitive%20answer%20to%20my%20requirement.%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20a%20device%20(Windows%2010%20PC%20or%20iOS)%20is%20unknown%2C%20because%20it%20hasn't%20been%20domain%20joined%2C%20hybrid%20joined%20or%20managed.%20Is%20it%20possible%20to%20avoid%20prompting%20for%20credentials%3F%3CBR%20%2F%3E%3CBR%20%2F%3EIn%20my%20test%20environment%20Azure%20AD%20is%20setup%20with%20O365%20and%20federated%20to%20an%20AD%20FS%20Server%20(2016).%20If%20I%20set%20the%20Conditional%20Access%20requirement%20in%20Azure%20AD%20for%20domain%20joined%20my%20expectation%20is%20the%20process%20would%20fail%20if%20the%20machine%20being%20used%20is%20not%20known%20to%20Azure%20AD.%3CBR%20%2F%3E%3CBR%20%2F%3EIn%20my%20testing%20Azure%20AD%20redirects%20me%20to%20my%20ADFS%20server%20which%20presents%20Form%20Based%20Authentication%20page%20(which%20I%20don't%20want).%20If%20I%20do%20enter%20my%20credentials%20then%20I%20get%20a%20denied%20but%20this%20is%20after%20user%20auth.%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20solution%20I'm%20trying%20to%20arrive%20at%20is%20that%20a%20user%20is%20only%20prompted%20for%20credentials%20when%20the%20device%20is%20known.%20Later%20I'd%20add%20another%20condition%20whereby%20if%20the%20location%20is%20known%20(corporate%20network)%20then%20the%20device%20doesn't%20need%20to%20be%20known%20so%20that%20it%20can%20be%20onboarded.%3CBR%20%2F%3E%3CBR%20%2F%3EIs%20my%20config%20somehow%20wrong%2C%20or%20is%20what%20I%20am%20trying%20to%20do%20not%20possible%3F%3CBR%20%2F%3E%3CBR%20%2F%3EMT%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPaul%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-134563%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-134824%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20%2F%20AD%20FS%20Conditional%20Access%20-%20Known%20Devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-134824%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F100775%22%20target%3D%22_blank%22%3E%40Alex%20Simons%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%20for%20the%20confirmation.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDevice%20pre-auth%20would%20be%20very%20useful%20as%20a%20future%20feature%20so%20as%20not%20to%20expose%20corporate%20credentials%20on%20unknown%20devices.%20For%20now%20I%20can%20probably%20look%20to%20do%20something%20with%20Azure%20MFA%20as%20primary%20%2F%20secondary%20auth.%20to%20overcome%20the%20security%20concern.%3CBR%20%2F%3E%3CBR%20%2F%3EAgain%20thanks%20as%20always%3CBR%20%2F%3E%3CBR%20%2F%3EPaul%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-134813%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20%2F%20AD%20FS%20Conditional%20Access%20-%20Known%20Devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-134813%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Paul%20-%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThere%20isn't%20any%20way%20to%20do%20this.%20Until%26nbsp%3Bthe%20service%20knows%20who%20the%20user%20is%2C%20the%20conditional%20access%20system%20can't%20figure%20out%20which%20policy%20to%20apply%20as%20all%20policies%26nbsp%3Bapply%20to%20users%20or%20groups%20of%20users.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%2C%3C%2FP%3E%0A%3CP%3EAlex%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-134762%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20%2F%20AD%20FS%20Conditional%20Access%20-%20Known%20Devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-134762%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20essence%20yes.%20I%20don't%20want%20users%20to%20be%20prompted%20for%20credentials%20when%20the%20device%20is%20unknown%20(and%20therefore%20in%20an%20unknown%20state).%20I%20was%20hoping%20that%20a%20claim%20built%20around%20isKnown%20would%20achieve%20this%20but%20it%20looks%20like%20that%20only%20kicks%20in%20after%20user%20authentication.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20reason%20for%20the%20requirement%20is%20avoiding%20users%20entering%20credentials%20that%20could%20be%20captured%20by%20a%20keyboard%20logger.%20If%20the%20device%20is%20not%20known%20to%20Azure%20AD%20the%20risk%20is%20higher%20than%20a%20device%20that%20is%20known%20and%20in%20a%20compliant%20state%3CBR%20%2F%3E%3CBR%20%2F%3EPaul%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-134733%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20%2F%20AD%20FS%20Conditional%20Access%20-%20Known%20Devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-134733%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20you%20want%20to%20immediately%20display%20a%20%22login%20failure%22%20for%20such%20devices%3F%20I%20guess%20you%20can%20configure%20certificate-based%20auth%20as%20the%20primary%20factor%20and%20disable%20WIA%2FFBA%20on%20the%20extranet%2C%20so%20that%20devices%20that%20don't%20have%20certificate%20provisioned%20will%20fail%20immediately.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Paul Bendall
Contributor

I've done quite a bit of searching but can't find a definitive answer to my requirement.

If a device (Windows 10 PC or iOS) is unknown, because it hasn't been domain joined, hybrid joined or managed. Is it possible to avoid prompting for credentials?

In my test environment Azure AD is setup with O365 and federated to an AD FS Server (2016). If I set the Conditional Access requirement in Azure AD for domain joined my expectation is the process would fail if the machine being used is not known to Azure AD.

In my testing Azure AD redirects me to my ADFS server which presents Form Based Authentication page (which I don't want). If I do enter my credentials then I get a denied but this is after user auth.

The solution I'm trying to arrive at is that a user is only prompted for credentials when the device is known. Later I'd add another condition whereby if the location is known (corporate network) then the device doesn't need to be known so that it can be onboarded.

Is my config somehow wrong, or is what I am trying to do not possible?

MT

 

Paul

4 Replies

So you want to immediately display a "login failure" for such devices? I guess you can configure certificate-based auth as the primary factor and disable WIA/FBA on the extranet, so that devices that don't have certificate provisioned will fail immediately.

In essence yes. I don't want users to be prompted for credentials when the device is unknown (and therefore in an unknown state). I was hoping that a claim built around isKnown would achieve this but it looks like that only kicks in after user authentication.

 

The reason for the requirement is avoiding users entering credentials that could be captured by a keyboard logger. If the device is not known to Azure AD the risk is higher than a device that is known and in a compliant state

Paul

Solution

Hi Paul -

 

There isn't any way to do this. Until the service knows who the user is, the conditional access system can't figure out which policy to apply as all policies apply to users or groups of users.

 

Regards,

Alex

 

 

@Alex Simons

 

Thanks for the confirmation. 

 

Device pre-auth would be very useful as a future feature so as not to expose corporate credentials on unknown devices. For now I can probably look to do something with Azure MFA as primary / secondary auth. to overcome the security concern.

Again thanks as always

Paul

Related Conversations
Extentions Synchronization
Deleted in Discussions on
3 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
38 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies