cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Azure AD / AD FS Conditional Access - Known Devices

Paul Bendall
Iron Contributor

‎Dec 06 2017 03:38 AM - last edited on ‎Jan 14 2022 05:27 PM by

‎Dec 06 2017 03:38 AM - last edited on ‎Jan 14 2022 05:27 PM by

Azure AD / AD FS Conditional Access - Known Devices

I've done quite a bit of searching but can't find a definitive answer to my requirement.

If a device (Windows 10 PC or iOS) is unknown, because it hasn't been domain joined, hybrid joined or managed. Is it possible to avoid prompting for credentials?

In my test environment Azure AD is setup with O365 and federated to an AD FS Server (2016). If I set the Conditional Access requirement in Azure AD for domain joined my expectation is the process would fail if the machine being used is not known to Azure AD.

In my testing Azure AD redirects me to my ADFS server which presents Form Based Authentication page (which I don't want). If I do enter my credentials then I get a denied but this is after user auth.

The solution I'm trying to arrive at is that a user is only prompted for credentials when the device is known. Later I'd add another condition whereby if the location is known (corporate network) then the device doesn't need to be known so that it can be onboarded.

Is my config somehow wrong, or is what I am trying to do not possible?

MT

 

Paul

3,703 Views
0 Likes
4 Replies
Reply
4 Replies
Vasil Michev

‎Dec 06 2017 11:07 AM

‎Dec 06 2017 11:07 AM

Re: Azure AD / AD FS Conditional Access - Known Devices

So you want to immediately display a "login failure" for such devices? I guess you can configure certificate-based auth as the primary factor and disable WIA/FBA on the extranet, so that devices that don't have certificate provisioned will fail immediately.

1 Like
Reply
Paul Bendall

‎Dec 06 2017 11:50 AM

‎Dec 06 2017 11:50 AM

Re: Azure AD / AD FS Conditional Access - Known Devices

In essence yes. I don't want users to be prompted for credentials when the device is unknown (and therefore in an unknown state). I was hoping that a claim built around isKnown would achieve this but it looks like that only kicks in after user authentication.

 

The reason for the requirement is avoiding users entering credentials that could be captured by a keyboard logger. If the device is not known to Azure AD the risk is higher than a device that is known and in a compliant state

Paul

0 Likes
Reply
best response confirmed by Paul Bendall (Iron Contributor)
Alex Simons

‎Dec 06 2017 01:02 PM

‎Dec 06 2017 01:02 PM

Solution

Re: Azure AD / AD FS Conditional Access - Known Devices

Hi Paul -

 

There isn't any way to do this. Until the service knows who the user is, the conditional access system can't figure out which policy to apply as all policies apply to users or groups of users.

 

Regards,

Alex

 

 

1 Like
Reply
Paul Bendall

‎Dec 06 2017 01:16 PM

‎Dec 06 2017 01:16 PM

Re: Azure AD / AD FS Conditional Access - Known Devices

@Alex Simons

 

Thanks for the confirmation. 

 

Device pre-auth would be very useful as a future feature so as not to expose corporate credentials on unknown devices. For now I can probably look to do something with Azure MFA as primary / secondary auth. to overcome the security concern.

Again thanks as always

Paul

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Paul Bendall (Iron Contributor)
Alex Simons

‎Dec 06 2017 01:02 PM

‎Dec 06 2017 01:02 PM

Solution

Re: Azure AD / AD FS Conditional Access - Known Devices

Hi Paul -

 

There isn't any way to do this. Until the service knows who the user is, the conditional access system can't figure out which policy to apply as all policies apply to users or groups of users.

 

Regards,

Alex

 

 

View solution in original post

1 Like
Reply