Struggling with Bypassing MFA for Devices Joined via Azure Hybrid AD in Conditional Access Policy

Diego 0

Hello everyone, I'm having a problem when implementing a conditional access policy: I have devices joined using an Azure Hybrid AD join mode, and I'm trying to bypass these devices from applying two-factor or MFA through a conditional policy, but I've tried everything, excluding the IDs, excluding all devices joined in this Azure Hybrid way and it's just not working. What step am I missing?

thanks

1 answer

Michael Maher 42

Can you used the WhatIf tool to see the result of the Conditional Access policies for the given sign-in scenario.

Also the sign-in logs have a tab which should help.

https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/troubleshoot-conditional-access#policy-not-working-as-intended

If all else fails there is s template Conditional Access policy which might help.
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-compliant-device#template-deployment

Diego 0

Hello! Thanks for the help. I use the tool what if and the directive is working correctly, unfortunately doesn't working.

This is the output:

Error code is 53001 but if I execute the command: dsregcmd /status

+----------------------------------------------------------------------+
| Device State                                                         |
+----------------------------------------------------------------------+

             AzureAdJoined : YES
          EnterpriseJoined : NO
              DomainJoined : YES

You can't get there from here
The app contains sensitive information and can only be accessed from the following devices:
Devices linked to the ENTERPRISE DOMAIN. Access from personal devices is not allowed.
The current browser is not supported. Please use Microsoft Edge, Internet Explorer, Chrome or Firefox 91+ to access this app.
Sign out and sign in with another account
More details
Troubleshooting Details
When contacting the administrator, you must send him this information.
Copy the information to the clipboard
Error Code: 53001
Request Id: d0550d3f-9e8b-4827-97d5-072a8ec51000
Correlation Id: 0aeb1309-5368-48f5-b049-ea16af5d8ad6
Timestamp: 2023-05-22T07:17:58.616Z
App Name: FortiGate SSL VPN
App ID: 83f9dee9-5e8b-4b6a-949e-834801765f15
IP address: 212.166.220.189
Device Identifier: Not Available
Device platform: Windows 10
Device Status: Unregistered
Flag login errors for review: Enable flagging
If you plan to request help with this issue, please enable flagging and try to reproduce the bug in 20 minutes. Flagged events make diagnostics available and displayed to the administrator.

Michael Maher 42 Reputation points

2023-05-22T08:58:56.64+00:00

I don't use Fortigate products but I suspect you may be using an embedded browser with the VPN client.

Can you see if you can force it to use Edge or Chrome?

Have a read here

https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/364443/using-a-browser-as-an-external-user-agent-for-saml-authentication-in-an-ssl-vpn-connection