My experience about registering Hybrid Azure AD joined devices

Posted by

Implementing a Conditional Access scenario in Azure, involves that device Context claims are necessary for ADFS / Azure AD to determine if a device is recognized, managed, compliant, etc. We have to take into account that are used to recognize if its a known device or not.

During my experience registring Hybrid Azure AD Joined devices, I found that in Windows 7, a Workplace Joined machine is per user based and receives a device authentication certificate that is stored in the “Current User” certificate store.

w7aad.png

In Windows 10, I found that Azure AD device registration is per machine, so we have detected blank fields in AzureAD (which is normal), I raised a support ticket and they confirm this behavior. In this case, the machine receives a device authentication certificate that is stored in the “Local Machine” certificate store.

w10aad.png

During authentication, IE and Edge successfully use this certificate to complete device authentication. Chrome will not touch any certificates in the “Local Machine” certificate store. If using Chrome the device is not recognized, MFA fails, and the user is prompted for a secondary form of authentication.

This appears to be a known issue with alternative browsers without a suitable answer. Without device authentication occurring, a device can not be recognized for the purposes of bypassing MFA with conditional access policies.

Microsoft has provided a plug-in for Google Chrome, that allows it to perform device authentication when using MFA. However, there are a couple caveats to be aware of:

  • The plug-in only works for Chrome and only works with Windows 10 Creators Updates (1703) or newer.
  • The plugin only works for Azure AD conditional access policies.
  • ADFS device based conditional access policies will not work.
  • Relying party trusts in ADFS other than Office 365 will not be able to utilize the plugin due to the previous limitation.

Long story short, Windows 7 device authentication seems to work fine and recognized devices will support device based conditional access policies if you use Chrome. Windows 10 devices using Chrome have limited ability to support device based conditional access policies.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s