Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,473 questions
Why do you need ADFS at all?
AD FS - Conditional Access
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 76%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAD%3C/text%3E%3C/svg%3E)
A D
1
Reputation point
To benefit from device claims for hybrid Azure AD Joined, registered devices and fully compliant devices based on Intune and Azure to allow AD FS conditional access to access federated resources, we have done the following.
- Configured Azure and Intune for Device registration and we have devices registered, hybrid Azure AD Joined and compliant showing in Azure and Intune.
- AD FS is configured for device registrations.
- AAD Connect is configured with the following:
a. AD FS Federation.
b. Device write-back option.
c. Hybrid-Joined option - We can see all Azure devices are available in the active directory under registered devices.
- Attributes (msDS-IsCompliant and msDS-IsManaged) are available for the devices synced back from Azure.
- We have AD FS windows server 2016, and AAD connect V2. After completing all the configurations and the integrations, we configured AD FS X-Ray tool and other claim-based application, but unfortunately we are not getting any device claims. Additionally, we configured AD FS conditional access, but the access was denied. We tried different browsers (IE, Edge, Chrome and Firefox) but still the access was denied or no device claims received.
Most of the documents available are describing the solution for Windows server 2012 and AAD connect 1.x. The configurations for Windows server 2016 and AAD connect 2.x are not clear as there were changes.
https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/ad-fs-client-access-policies
https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/plan-device-based-conditional-access-on-premises
https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-device-based-conditional-access-on-premises
It will be appreciated if you can share your input to configure such scenario.
Thanks,
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 78%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESG%3C/text%3E%3C/svg%3E)
Sandeep G-MSFT 14,486 Reputation points Microsoft Employee2022-10-12T11:29:12.587+00:00 Have you configured claims in ADFS as per your requirements.
-
A D 1 Reputation point
2022-10-12T18:27:03.293+00:00 @Sandeep G-MSFT , Thank you for your response.
We have configured issue all claims for the relying party.
-
Mark Morowczynski 251 Reputation points Microsoft Employee2022-10-15T14:57:05.18+00:00 Can I ask what is the resource you are targeting to use Conditional Access with in ADFS?
-
A D 1 Reputation point
2022-10-25T18:36:23.43+00:00 Office and some other application. For the testing I am using Office and X-Ray.
Sign in to comment
1 answer
Sort by: Most helpful
-
Mark Morowczynski 251 Reputation points Microsoft Employee
2023-01-18T22:54:19.4933333+00:00