Home

How does computer objects synchronize to Azure AD for Windows Hello for Business?

%3CLINGO-SUB%20id%3D%22lingo-sub-996155%22%20slang%3D%22en-US%22%3EHow%20does%20computer%20objects%20synchronize%20to%20Azure%20AD%20for%20Windows%20Hello%20for%20Business%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-996155%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20I%20am%20implementing%20Windows%20Hello%20for%20Business%20in%20my%20environment%20using%20Hybrid-AD%20joined%20with%20certificate%20trust.%20%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20this%20flow%20diagram%26nbsp%3B%3CFONT%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fidentity-protection%2Fhello-for-business%2Fhello-how-it-works-device-registration%23hybrid-azure-ad-joined-in-federated-environments%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fidentity-protection%2Fhello-for-business%2Fhello-how-it-works-device-registration%23hybrid-azure-ad-joined-in-federated-environments%3C%2FA%3E%3C%2FFONT%3E%2C%20it%20mentioned%20that%20device%20object%20is%20written%20by%20Azure%20DRS.%26nbsp%3B%20Does%20that%20means%20that%20I%20do%20not%20need%20to%20configure%20synchronisation%20rules%20in%20Azure%20AD%20Connect%20to%20synchronise%20computer%20objects%20from%20on-prem%20AD%20to%20Azure%20AD%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-996155%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Active%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Hello%20for%20Business%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-996585%22%20slang%3D%22en-US%22%3ERe%3A%20How%20does%20computer%20objects%20synchronize%20to%20Azure%20AD%20for%20Windows%20Hello%20for%20Business%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-996585%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F452571%22%20target%3D%22_blank%22%3E%40jennylim%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIt%20depends%20on%20your%20scenario%2C%20and%20if%20you're%20on%20a%20%22Federated%22%20scenario%20you%20need%20to%20use%20Azure%20DRS%20to%20get%20the%20benefit%20of%20conditional%20access%20policies%20and%20integration%20across%20Office%2C%20Intune%20and%20other%20Microsoft%20cloud%20services.%3C%2FP%3E%0A%3CP%3EAzure%20DRS%20is%20used%20to%20register%20the%20devices%20and%20publish%20the%20necessary%20device%20certificates%20to%20clients.%20Once%20it%20occurs%20you've%20got%20the%20capabilities%20of%20Azure%20AD%20Conditional%20Access%20policies.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you're%20working%20with%20the%20%22Managed%20Domains%22%20scenario%20you%20don't%20need%20the%20Azure%20DRS%20because%20you%20need%20to%20use%20the%20process%20of%20SCP%20within%20AAAD%20Connect.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-996639%22%20slang%3D%22en-US%22%3ERe%3A%20How%20does%20computer%20objects%20synchronize%20to%20Azure%20AD%20for%20Windows%20Hello%20for%20Business%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-996639%22%20slang%3D%22en-US%22%3EThanks%2C%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1791%22%20target%3D%22_blank%22%3E%40Eli%20Shlomo%3C%2FA%3E.%20I%20am%20using%20ADFS%20and%20is%20in%20federated%20scenario.%20I%20found%20some%20device%20sync%20rules%20in%20Azure%20AD%20Connect%20to%20sync%20out%20from%20AD%20to%20Azure%20AD.%20Thus%2C%20I%20am%20confused%20if%20it%20is%20based%20on%20that%20rules%20to%20sync%20out%20or%20based%20on%20Azure%20DRS%20to%20write%20the%20objects.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-997224%22%20slang%3D%22en-US%22%3ERe%3A%20How%20does%20computer%20objects%20synchronize%20to%20Azure%20AD%20for%20Windows%20Hello%20for%20Business%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-997224%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F452571%22%20target%3D%22_blank%22%3E%40jennylim%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20sync%20rules%20are%20part%20of%20the%20filtering%20options%20and%20created%20by%20defaults%2C%20and%20it's%20recommended%20not%20to%20change%20these%20rules.%3C%2FP%3E%0A%3CP%3EFor%20your%20questions%2C%20it's%20based%20on%20Azure%20DRS%20and%20ADFS%2C%20and%20to%20make%20a%20long%20story%20short%2C%20some%20explanation%3A%20t%3CSPAN%3Ehe%20registration%20with%20Azure%20AD%20is%20the%20same%20as%20with%20ADFS%2C%20but%20the%20client%20is%20reporting%20to%20on-premises%20instead%20with%20the%20DRS%20in%20Azure%20AD.%20When%20a%20device%20receives%20an%20answer%20from%20the%20DRS%20in%20ADFS%20then%20the%20device%20will%20get%20a%20user%20certificate%20and%20the%20computer%20object%20of%20that%20specific%20device%20will%20be%20updated%20with%20the%20ID%20of%20this%20user%20certificate.%20After%20that%2C%20the%20computer%20object%20will%20be%20sync%20with%20Azure%20AD.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EMore%20information%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevices%2Fhybrid-azuread-join-manual%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevices%2Fhybrid-azuread-join-manual%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
jennylim
New Contributor

Hi, I am implementing Windows Hello for Business in my environment using Hybrid-AD joined with certificate trust.  

 

In this flow diagram https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-how-i..., it mentioned that device object is written by Azure DRS.  Does that means that I do not need to configure synchronisation rules in Azure AD Connect to synchronise computer objects from on-prem AD to Azure AD?

3 Replies

@jennylim 

It depends on your scenario, and if you're on a "Federated" scenario you need to use Azure DRS to get the benefit of conditional access policies and integration across Office, Intune and other Microsoft cloud services.

Azure DRS is used to register the devices and publish the necessary device certificates to clients. Once it occurs you've got the capabilities of Azure AD Conditional Access policies.

 

If you're working with the "Managed Domains" scenario you don't need the Azure DRS because you need to use the process of SCP within AAAD Connect.

Thanks, @Eli Shlomo. I am using ADFS and is in federated scenario. I found some device sync rules in Azure AD Connect to sync out from AD to Azure AD. Thus, I am confused if it is based on that rules to sync out or based on Azure DRS to write the objects.

@jennylim 

The sync rules are part of the filtering options and created by defaults, and it's recommended not to change these rules.

For your questions, it's based on Azure DRS and ADFS, and to make a long story short, some explanation: the registration with Azure AD is the same as with ADFS, but the client is reporting to on-premises instead with the DRS in Azure AD. When a device receives an answer from the DRS in ADFS then the device will get a user certificate and the computer object of that specific device will be updated with the ID of this user certificate. After that, the computer object will be sync with Azure AD.

 

More information 

https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-manual

Related Conversations