Nov 24 2017 01:48 AM
Hi there,
I have a requirement to check wether a user is trying to authenticate against my ADFS farm using a domain joined device or not and dependent on that set actions.
My question now is how to check on the ADFS side if the device is domain joined or not?
Hope anyone can help me with this...
Nov 24 2017 11:05 AM
The method used by Microsoft is to detect the (primary) group membership of the device and check whether it's a member of the "Domain Computers" group. This is the claims rule they use, where the "-515" regex check is against the "well-known" objectSID of the "Domain Computers" group.
@RuleName = "Issue account type for domain joined computers" c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid", Value =~ "-515$", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"] => issue(Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", Value = "DJ");
Nov 26 2017 11:18 PM
Thanks!
And how can I now implement a rule that if it is a domain joined device it should be asked for certificate based auth as a second factor and all mobile devices should go for Azure MFA?
Nov 26 2017 11:44 PM
Look at the Additional Authentication Rules functionality for that and add a rule that will force domain joined machines to perform MFA on-premises. There is no way to enforce specific MFA method however, the user will be able to use any of the configured ones.
Nov 26 2017 11:46 PM
So that means that I cannot enforce laptops to present a certificate while iPhones should go for the Azure MFA authentication at the same time?
Nov 26 2017 11:51 PM
You shouls use the "isregistered" claims, like this:
c:[Type == "http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser", Value == "false"]
=> issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod",
Value = "http://schemas.microsoft.com/claims/multipleauthn");
Please check this post
Nov 27 2017 12:31 AM
But how to tell ADFS that all Windows 10 laptops should present a certificate along with all iPhones should go for SMS or phone call provided by Azure MFA?
Nov 27 2017 12:40 AM
"registered" device is different from domain-joined though. And again, as I mentioned you cannot force a specific method. One way to handle this would be to force MFA on-premises for all DJ devices and have CBA configured there. For any non-domain joined devices, only enforce MFA in the cloud. You'll have to make sure the relevant claims are sent in order to avoid double MFA though. Definitely some testing needed to get this right :)
Nov 27 2017 12:45 AM
Well if that's the case we will need to find a different solution probably, but thanks anyhow I will maybe configure that in a dev environment...