Why do you need ADFS at all?
AD FS - Conditional Access
To benefit from device claims for hybrid Azure AD Joined, registered devices and fully compliant devices based on Intune and Azure to allow AD FS conditional access to access federated resources, we have done the following.
- Configured Azure and Intune for Device registration and we have devices registered, hybrid Azure AD Joined and compliant showing in Azure and Intune.
- AD FS is configured for device registrations.
- AAD Connect is configured with the following:
a. AD FS Federation.
b. Device write-back option.
c. Hybrid-Joined option - We can see all Azure devices are available in the active directory under registered devices.
- Attributes (msDS-IsCompliant and msDS-IsManaged) are available for the devices synced back from Azure.
- We have AD FS windows server 2016, and AAD connect V2. After completing all the configurations and the integrations, we configured AD FS X-Ray tool and other claim-based application, but unfortunately we are not getting any device claims. Additionally, we configured AD FS conditional access, but the access was denied. We tried different browsers (IE, Edge, Chrome and Firefox) but still the access was denied or no device claims received.
Most of the documents available are describing the solution for Windows server 2012 and AAD connect 1.x. The configurations for Windows server 2016 and AAD connect 2.x are not clear as there were changes.
https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/ad-fs-client-access-policies
https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/plan-device-based-conditional-access-on-premises
https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-device-based-conditional-access-on-premises
It will be appreciated if you can share your input to configure such scenario.
Thanks,
1 answer
Sort by: Most helpful
-
Mark Morowczynski 251 Reputation points Microsoft Employee
2023-01-18T22:54:19.4933333+00:00