Forum Discussion

Paul Bendall's avatar
Paul Bendall
Iron Contributor
Dec 06, 2017

Azure AD / AD FS Conditional Access - Known Devices

I've done quite a bit of searching but can't find a definitive answer to my requirement.

If a device (Windows 10 PC or iOS) is unknown, because it hasn't been domain joined, hybrid joined or managed. Is it possible to avoid prompting for credentials?

In my test environment Azure AD is setup with O365 and federated to an AD FS Server (2016). If I set the Conditional Access requirement in Azure AD for domain joined my expectation is the process would fail if the machine being used is not known to Azure AD.

In my testing Azure AD redirects me to my ADFS server which presents Form Based Authentication page (which I don't want). If I do enter my credentials then I get a denied but this is after user auth.

The solution I'm trying to arrive at is that a user is only prompted for credentials when the device is known. Later I'd add another condition whereby if the location is known (corporate network) then the device doesn't need to be known so that it can be onboarded.

Is my config somehow wrong, or is what I am trying to do not possible?

MT

 

Paul

Azure Active Directory (AAD)
  • Alex Simons's avatar
    Alex Simons
    Dec 06, 2017

    Hi Paul -

     

    There isn't any way to do this. Until the service knows who the user is, the conditional access system can't figure out which policy to apply as all policies apply to users or groups of users.

     

    Regards,

    Alex

     

     

  • VasilMichev's avatar
    VasilMichev
    MVP
    Dec 06, 2017

    So you want to immediately display a "login failure" for such devices? I guess you can configure certificate-based auth as the primary factor and disable WIA/FBA on the extranet, so that devices that don't have certificate provisioned will fail immediately.

    • Paul Bendall's avatar
      Paul Bendall
      Iron Contributor
      Dec 06, 2017

      In essence yes. I don't want users to be prompted for credentials when the device is unknown (and therefore in an unknown state). I was hoping that a claim built around isKnown would achieve this but it looks like that only kicks in after user authentication.

       

      The reason for the requirement is avoiding users entering credentials that could be captured by a keyboard logger. If the device is not known to Azure AD the risk is higher than a device that is known and in a compliant state

      Paul

      • Alex Simons's avatar
        Alex Simons
        Copper Contributor
        Dec 06, 2017

        Hi Paul -

         

        There isn't any way to do this. Until the service knows who the user is, the conditional access system can't figure out which policy to apply as all policies apply to users or groups of users.

         

        Regards,

        Alex

         

         

Resources