Home

ADFS Claim Rule to detect domain joined devices

%3CLINGO-SUB%20id%3D%22lingo-sub-131018%22%20slang%3D%22en-US%22%3EADFS%20Claim%20Rule%20to%20detect%20domain%20joined%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-131018%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20there%2C%3C%2FP%3E%0A%3CP%3EI%20have%20a%20requirement%20to%20check%20wether%20a%20user%20is%20trying%20to%20authenticate%20against%20my%20ADFS%20farm%20using%20a%20domain%20joined%20device%20or%20not%20and%20dependent%20on%20that%20set%20actions.%3C%2FP%3E%0A%3CP%3EMy%20question%20now%20is%20how%20to%20check%20on%20the%20ADFS%20side%20if%20the%20device%20is%20domain%20joined%20or%20not%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHope%20anyone%20can%20help%20me%20with%20this...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-131018%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-131431%22%20slang%3D%22en-US%22%3ERe%3A%20ADFS%20Claim%20Rule%20to%20detect%20domain%20joined%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-131431%22%20slang%3D%22en-US%22%3E%3CP%3EWell%20if%20that's%20the%20case%20we%20will%20need%20to%20find%20a%20different%20solution%20probably%2C%20but%20thanks%20anyhow%20I%20will%20maybe%20configure%20that%20in%20a%20dev%20environment...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-131429%22%20slang%3D%22en-US%22%3ERe%3A%20ADFS%20Claim%20Rule%20to%20detect%20domain%20joined%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-131429%22%20slang%3D%22en-US%22%3E%3CP%3E%22registered%22%20device%20is%20different%20from%20domain-joined%20though.%20And%20again%2C%20as%20I%20mentioned%20you%20cannot%20force%20a%20specific%20method.%20One%20way%20to%20handle%20this%20would%20be%20to%20force%20MFA%20on-premises%20for%20all%20DJ%20devices%20and%20have%20CBA%20configured%20there.%20For%20any%20non-domain%20joined%20devices%2C%20only%20enforce%20MFA%20in%20the%20cloud.%20You'll%20have%20to%20make%20sure%20the%20relevant%20claims%20are%20sent%20in%20order%20to%20avoid%20double%20MFA%20though.%20Definitely%20some%20testing%20needed%20to%20get%20this%20right%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-131428%22%20slang%3D%22en-US%22%3ERe%3A%20ADFS%20Claim%20Rule%20to%20detect%20domain%20joined%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-131428%22%20slang%3D%22en-US%22%3E%3CP%3EBut%20how%20to%20tell%20ADFS%26nbsp%3Bthat%20all%20Windows%2010%20laptops%20should%20present%20a%20certificate%20along%20with%20all%20iPhones%20should%20go%20for%20SMS%20or%20phone%20call%20provided%20by%20Azure%20MFA%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-131417%22%20slang%3D%22en-US%22%3ERe%3A%20ADFS%20Claim%20Rule%20to%20detect%20domain%20joined%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-131417%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20shouls%20use%20the%20%22isregistered%22%20claims%2C%20like%20this%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ec%3A%5BType%20%3D%3D%20%22%3CA%20href%3D%22http%3A%2F%2Fschemas.microsoft.com%2F2012%2F01%2Fdevicecontext%2Fclaims%2Fisregistereduser%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fschemas.microsoft.com%2F2012%2F01%2Fdevicecontext%2Fclaims%2Fisregistereduser%3C%2FA%3E%22%2C%20Value%20%3D%3D%20%22false%22%5D%3C%2FP%3E%0A%3CP%3E%3D%26gt%3B%20issue(Type%20%3D%20%22%3CA%20href%3D%22http%3A%2F%2Fschemas.microsoft.com%2Fws%2F2008%2F06%2Fidentity%2Fclaims%2Fauthenticationmethod%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fschemas.microsoft.com%2Fws%2F2008%2F06%2Fidentity%2Fclaims%2Fauthenticationmethod%3C%2FA%3E%22%2C%3C%2FP%3E%0A%3CP%3EValue%20%3D%20%22%3CA%20href%3D%22http%3A%2F%2Fschemas.microsoft.com%2Fclaims%2Fmultipleauthn%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fschemas.microsoft.com%2Fclaims%2Fmultipleauthn%3C%2FA%3E%22)%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPlease%20check%20%3CA%20href%3D%22https%3A%2F%2Fblogs.msdn.microsoft.com%2Framical%2F2014%2F01%2F30%2Funder-the-hood-tour-on-multi-factor-authentication-in-adfs-part-1-policy%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ethis%20post%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-131416%22%20slang%3D%22en-US%22%3ERe%3A%20ADFS%20Claim%20Rule%20to%20detect%20domain%20joined%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-131416%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20that%20means%20that%20I%20cannot%20enforce%20laptops%20to%20present%20a%20certificate%20while%20iPhones%20should%20go%20for%20the%20Azure%20MFA%20authentication%20at%20the%20same%20time%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-131414%22%20slang%3D%22en-US%22%3ERe%3A%20ADFS%20Claim%20Rule%20to%20detect%20domain%20joined%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-131414%22%20slang%3D%22en-US%22%3E%3CP%3ELook%20at%20the%20Additional%20Authentication%20Rules%20functionality%20for%20that%20and%20add%20a%20rule%20that%20will%20force%20domain%20joined%20machines%20to%20perform%20MFA%20on-premises.%20There%20is%20no%20way%20to%20enforce%20specific%20MFA%20method%20however%2C%20the%20user%20will%20be%20able%20to%20use%20any%20of%20the%20configured%20ones.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-131412%22%20slang%3D%22en-US%22%3ERe%3A%20ADFS%20Claim%20Rule%20to%20detect%20domain%20joined%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-131412%22%20slang%3D%22en-US%22%3E%3CP%3EThanks!%3C%2FP%3E%0A%3CP%3EAnd%20how%20can%20I%20now%20implement%20a%20rule%20that%20if%20it%20is%20a%20domain%20joined%20device%20it%20should%20be%20asked%20for%20certificate%20based%26nbsp%3Bauth%20as%20a%20second%20factor%20and%20all%20mobile%20devices%20should%20go%20for%20Azure%20MFA%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-131134%22%20slang%3D%22en-US%22%3ERe%3A%20ADFS%20Claim%20Rule%20to%20detect%20domain%20joined%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-131134%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20method%20used%20by%20Microsoft%20is%20to%20detect%20the%20(primary)%20group%20membership%20of%20the%20device%20and%20check%20whether%20it's%20a%20member%20of%20the%20%22Domain%20Computers%22%20group.%26nbsp%3B%20This%20is%20the%20claims%20rule%20they%20use%2C%20where%20the%20%22-515%22%20regex%20check%20is%20against%20the%20%22well-known%22%20objectSID%20of%20the%20%22Domain%20Computers%22%20group.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%40RuleName%20%3D%20%22Issue%20account%20type%20for%20domain%20joined%20computers%22%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20c%3A%5BType%20%3D%3D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22http%3A%2F%2Fschemas.microsoft.com%2Fws%2F2008%2F06%2Fidentity%2Fclaims%2Fprimarygroupsid%22%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20Value%20%3D~%20%22-515%24%22%2C%20Issuer%20%3D~%20%22%5E(AD%20AUTHORITY%7CSELF%20AUTHORITY%7CLOCAL%20AUTHORITY)%24%22%5D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3D%26gt%3B%20issue(Type%20%3D%20%22http%3A%2F%2Fschemas.microsoft.com%2Fws%2F2012%2F01%2Faccounttype%22%2C%20Value%20%3D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22DJ%22)%3B%3C%2FPRE%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

Hi there,

I have a requirement to check wether a user is trying to authenticate against my ADFS farm using a domain joined device or not and dependent on that set actions.

My question now is how to check on the ADFS side if the device is domain joined or not?

 

Hope anyone can help me with this...

8 Replies
Highlighted

The method used by Microsoft is to detect the (primary) group membership of the device and check whether it's a member of the "Domain Computers" group.  This is the claims rule they use, where the "-515" regex check is against the "well-known" objectSID of the "Domain Computers" group.

 

@RuleName = "Issue account type for domain joined computers"
                                        c:[Type ==
                                        "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid",
                                        Value =~ "-515$", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"]
                                         => issue(Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", Value =
                                        "DJ");
Highlighted

Thanks!

And how can I now implement a rule that if it is a domain joined device it should be asked for certificate based auth as a second factor and all mobile devices should go for Azure MFA?

Highlighted

Look at the Additional Authentication Rules functionality for that and add a rule that will force domain joined machines to perform MFA on-premises. There is no way to enforce specific MFA method however, the user will be able to use any of the configured ones.

Highlighted

So that means that I cannot enforce laptops to present a certificate while iPhones should go for the Azure MFA authentication at the same time?

Highlighted
Highlighted

But how to tell ADFS that all Windows 10 laptops should present a certificate along with all iPhones should go for SMS or phone call provided by Azure MFA?

Highlighted

"registered" device is different from domain-joined though. And again, as I mentioned you cannot force a specific method. One way to handle this would be to force MFA on-premises for all DJ devices and have CBA configured there. For any non-domain joined devices, only enforce MFA in the cloud. You'll have to make sure the relevant claims are sent in order to avoid double MFA though. Definitely some testing needed to get this right :)

Highlighted

Well if that's the case we will need to find a different solution probably, but thanks anyhow I will maybe configure that in a dev environment...