Hybrid Azure AD Join (with ADFS present) question about SCP

%3CLINGO-SUB%20id%3D%22lingo-sub-2160274%22%20slang%3D%22en-US%22%3EHybrid%20Azure%20AD%20Join%20(with%20ADFS%20present)%20question%20about%20SCP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2160274%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevices%2Fhybrid-azuread-join-federated-domains%23configure-hybrid-azure-ad-join%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EConfigure%20hybrid%20Azure%20Active%20Directory%20join%20for%20federated%20domains%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20article%20above%20has%20got%20me%20curious%20and%20I%20can't%20find%20an%20answer%20to%20my%20questions.%26nbsp%3B%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fazure-docs%2Fissues%2F70398%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EI've%20also%20opened%20an%20issue%20on%20GitHub%3C%2FA%3E%2C%20and%20have%20read%20as%20many%20blog%20articles%20as%20I%20can%20find%2C%20but%20all%20that%20I've%20found%20just%20repeat%20the%20info%20that%20is%20stated%20in%20the%20Docs%20article.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20the%20section%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3EConfigure%20hybrid%20Azure%20AD%20join%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Estep%206.b%20states%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CBLOCKQUOTE%3E%3CP%3ESelect%20the%20authentication%20service.%20You%20must%20select%20AD%20FS%20server%20unless%20your%20organization%20has%20exclusively%20Windows%2010%20clients%20and%20you%20have%20configured%20computer%2Fdevice%20sync%2C%20or%20your%20organization%20uses%20seamless%20SSO.%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3CP%3ESo%20then%2C%20let's%20say%20we%20have%20all%20Windows%2010%2C%20the%20statement%20leaves%20two%20possibilities%3A%3C%2FP%3E%3COL%3E%3CLI%3EWe%20also%20have%20setup%20Seamless%20SSO%20(I%20assume%20this%20means%20Azure%20AD%20Connect's%20checkbox%20and%20related%20configuration%20via%20GPO)%3C%2FLI%3E%3CLI%3EWe%20have%20not%20setup%20Seamless%20SSO%2C%20and%20instead%20are%20taking%20advantage%20of%20Windows%2010's%20Primary%20Refresh%20Token%20capability%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevices%2Fconcept-primary-refresh-token%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3Elink%3C%2FA%3E)%3C%2FLI%3E%3C%2FOL%3E%3CP%3EI%20can%20understand%20that%20if%20we%20fall%20into%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%3E%23%3C%2FSPAN%3E1%3C%2FSTRONG%3E%2C%20then%20we%20need%20to%20select%20our%20ADFS%20for%20the%20Authentication%20Service.%20But%20why%20is%20that%3F%20SSSO%20involves%20automatic%20logon%20to%20an%20internet%20(Microsoft%2FAzure%20AD)%20URL%3B%20it%20doesn't%20involve%20ADFS.%20For%20ADFS'%20own%20SSO%20to%20work%2C%20the%20ADFS%20STS%20URL%20(or%20FQDN)%20needs%20to%20be%20added%20to%20the%20Local%20Intranet%20zone%20which%20needs%20to%20be%20configured%20for%20for%20automatic%20logon.%20So%20SSSO%20and%20ADFS%20SSO%20are%20two%20different%20things.%20Therefore%2C%20it's%20not%20clear%20why%20SSSO%20has%20any%20bearing%20on%20this%20choice%20for%20the%20SCP%20config's%20Authentication%20Service.%20What%20is%20the%20reason%20for%20this%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENext%2C%20if%20we%20fall%20into%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%3E%23%3C%2FSPAN%3E2%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E(no%20SSSO%20configured%20in%20AAD%20Connect%20(and%20related%20additional%20config%20that%20goes%20with%20it))%2C%20why%20might%20we%20choose%20ADFS%20over%20Azure%20AD%3F%20Similarly%2C%20why%20might%20we%20choose%20Azure%20AD%20over%20ADFS%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20is%20one%20other%20part%20of%20the%20article%20that%20is%20also%20unclear%20to%20me%2C%20again%20related%20to%20the%20Authentication%20Service.%26nbsp%3B%20If%20we%20have%20the%20Authentication%20Service%20set%20to%20use%20Azure%20AD%2C%20do%20we%20still%20need%20to%20worry%20about%20this%20ADFS-based%20pre-requisite%3F%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CBLOCKQUOTE%3E%3CP%3EA%20federated%20environment%20should%20have%20an%20identity%20provider%20that%20supports%20the%20following%20requirements.%20If%20you%20have%20a%20federated%20environment%20using%20Active%20Directory%20Federation%20Services%20(AD%20FS)%2C%20then%20the%20below%20requirements%20are%20already%20supported.%3C%2FP%3E%3CP%3E%3CSTRONG%3EWIAORMULTIAUTHN%20claim%3C%2FSTRONG%3E%3A%20This%20claim%20is%20required%20to%20do%20hybrid%20Azure%20AD%20join%20for%20Windows%20down-level%20devices.%3CBR%20%2F%3E%3CSTRONG%3EWS-Trust%20protocol%3C%2FSTRONG%3E%3A%20This%20protocol%20is%20required%20to%20authenticate%20Windows%20current%20hybrid%20Azure%20AD%20joined%20devices%20with%20Azure%20AD.%20When%20you're%20using%20AD%20FS%2C%20you%20need%20to%20enable%20the%20following%20WS-Trust%20endpoints%3A%20%2Fadfs%2Fservices%2Ftrust%2F2005%2Fwindowstransport%20%2Fadfs%2Fservices%2Ftrust%2F13%2Fwindowstransport%20%2Fadfs%2Fservices%2Ftrust%2F2005%2Fusernamemixed%20%2Fadfs%2Fservices%2Ftrust%2F13%2Fusernamemixed%20%2Fadfs%2Fservices%2Ftrust%2F2005%2Fcertificatemixed%20%2Fadfs%2Fservices%2Ftrust%2F13%2Fcertificatemixed%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3CP%3ESpecifically%20the%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3EWS-Trust%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eprotocol..%20If%20the%20SCP%20%2F%20Authentication%20Service%20is%20pointing%20to%20Azure%20AD%2C%20I'm%20unsure%20if%20this%20requirement%20is%20still%20relevant.%26nbsp%3B%20I%20assume%20the%20answer%20to%20this%20last%20part%20is%20yes%2C%20and%20the%20reason%20for%20that%20assumption%20is%20the%20Office%20365%20relying%20party%20trust%20claim%20rules%20that%20need%20to%20be%20added%20to%20support%20HAADJ.%26nbsp%3B%20Not%20sure%20though%20if%20I'm%20correct%20on%20this%20assumption%20or%20not.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anyone%20happen%20to%20have%20clarity%20around%20this%20that%20you%20can%20share%20with%20me%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2160274%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EDevice%20Identity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%20Azure%20AD%20Join%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Frequent Contributor

Configure hybrid Azure Active Directory join for federated domains | Microsoft Docs

 

The article above has got me curious and I can't find an answer to my questions.  I've also opened an issue on GitHub, and have read as many blog articles as I can find, but all that I've found just repeat the info that is stated in the Docs article.

 

In the section Configure hybrid Azure AD join step 6.b states:

 

Select the authentication service. You must select AD FS server unless your organization has exclusively Windows 10 clients and you have configured computer/device sync, or your organization uses seamless SSO.

So then, let's say we have all Windows 10, the statement leaves two possibilities:

  1. We also have setup Seamless SSO (I assume this means Azure AD Connect's checkbox and related configuration via GPO)
  2. We have not setup Seamless SSO, and instead are taking advantage of Windows 10's Primary Refresh Token capability (link)

I can understand that if we fall into #1, then we need to select our ADFS for the Authentication Service. But why is that? SSSO involves automatic logon to an internet (Microsoft/Azure AD) URL; it doesn't involve ADFS. For ADFS' own SSO to work, the ADFS STS URL (or FQDN) needs to be added to the Local Intranet zone which needs to be configured for for automatic logon. So SSSO and ADFS SSO are two different things. Therefore, it's not clear why SSSO has any bearing on this choice for the SCP config's Authentication Service. What is the reason for this?

 

Next, if we fall into #2 (no SSSO configured in AAD Connect (and related additional config that goes with it)), why might we choose ADFS over Azure AD? Similarly, why might we choose Azure AD over ADFS?

 

There is one other part of the article that is also unclear to me, again related to the Authentication Service.  If we have the Authentication Service set to use Azure AD, do we still need to worry about this ADFS-based pre-requisite?:

 

A federated environment should have an identity provider that supports the following requirements. If you have a federated environment using Active Directory Federation Services (AD FS), then the below requirements are already supported.

WIAORMULTIAUTHN claim: This claim is required to do hybrid Azure AD join for Windows down-level devices.
WS-Trust protocol: This protocol is required to authenticate Windows current hybrid Azure AD joined devices with Azure AD. When you're using AD FS, you need to enable the following WS-Trust endpoints: /adfs/services/trust/2005/windowstransport /adfs/services/trust/13/windowstransport /adfs/services/trust/2005/usernamemixed /adfs/services/trust/13/usernamemixed /adfs/services/trust/2005/certificatemixed /adfs/services/trust/13/certificatemixed

Specifically the WS-Trust protocol.. If the SCP / Authentication Service is pointing to Azure AD, I'm unsure if this requirement is still relevant.  I assume the answer to this last part is yes, and the reason for that assumption is the Office 365 relying party trust claim rules that need to be added to support HAADJ.  Not sure though if I'm correct on this assumption or not.

 

Does anyone happen to have clarity around this that you can share with me?

 

Thanks in advance.

0 Replies