Configuring ADFS conditional access

Question

Configuring ADFS conditional access

Marwen MAJRI 0

We have set up Device Registration and Device Write Back to enable the creation of ADFS Conditionnal Access based on the device trust level (Authenticated, Managed or Compliant). The Computer objects are now synchronized with Miscrosoft Intra Connect and uploaded as Hybrid Joined to Azure. After several attempts and configuration, conditional access only works on Microsoft Intra Registred devices. We want to do this on our Microsoft Intra Hybrid Joined devices. Using ADFSHelp, I've seen that the Token Claims contains no information about the device when it's Hybrid Joined, but with a device in Registred status, the Token Claims contains the information needed to apply conditional access.

JamesTran-MSFT 36,841 Reputation points Microsoft Employee

2024-01-25T21:17:47.3433333+00:00

@Marwen MAJRI
I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Marwen MAJRI 0 Reputation points

2024-01-29T08:29:23.46+00:00

Hi @JamesTran-MSFT I'm not able to find any solution. Hope you can help me on it. Many thanks in advance.

1 answer

Your answer

JamesTran-MSFT 36,841 Reputation points Microsoft Employee

2024-01-25T21:17:47.3433333+00:00

@Marwen MAJRI
I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Marwen MAJRI 0 Reputation points

2024-01-29T08:29:23.46+00:00

Hi @JamesTran-MSFT I'm not able to find any solution. Hope you can help me on it. Many thanks in advance.

Answer 1

James Hamil 27,016 Microsoft Employee

Hi @Marwen MAJRI , when a device is Hybrid Joined, the token claims do not contain information about the device. This is because the device is not registered with Azure AD, but rather with your on-premises Active Directory. To apply conditional access policies to your Hybrid Joined devices, you will need to configure device compliance policies in Microsoft Intune. This will allow you to check the compliance status of your devices and apply conditional access policies based on that status. To get started with device compliance policies in Microsoft Intune, you can refer to the following document: Device compliance policies in Microsoft Intune. This document provides step-by-step instructions on how to create and deploy device compliance policies in Microsoft Intune. Once you have configured device compliance policies in Microsoft Intune, you can then use the compliance status of your Hybrid Joined devices to apply conditional access policies. For more information on how to configure conditional access policies in Azure AD, you can refer to this document. Please let me know if you have any questions and I can help you further. If this answer helps you please mark "Accept Answer" so other users can reference it. Thank you, James

Marwen MAJRI 0 Reputation points

2024-01-17T14:20:21.7333333+00:00

Hello James, Thank you for your time but we need to implement this Conditional Access in ADFS side to use it with our internal applications and not in Azure. Conditional access policies in Azure AD works fine and grant access based on device status but i need to do the same on ADFS (attached sreenshot).
James Hamil 27,016 Reputation points Microsoft Employee

2024-01-23T21:12:46.14+00:00
Hi @Marwen MAJRI , it looks like the screenshot didn't attach if you want to resubmit it. Please try following these steps and let me know if it works for you. If not we can open a support ticket.

Set up Azure AD Connect to synchronize your on-premises Active Directory with Azure AD. This will allow you to use Azure AD as an identity provider for ADFS.

Configure ADFS to use Azure AD as an identity provider. This involves setting up a trust relationship between ADFS and Azure AD.

Configure Conditional Access policies in Azure AD. You can use the Azure portal or PowerShell to create and manage Conditional Access policies. To create a Conditional Access policy, you will need to specify the conditions under which the policy should be applied, such as the user's location, device, or application. You can also specify the actions that should be taken if the conditions are met, such as requiring multi-factor authentication or blocking access.

Configure ADFS to enforce Conditional Access policies. This involves setting up a claims rule in ADFS that checks for the presence of a specific claim in the user's token. If the claim is present, the user is allowed access. If the claim is not present, the user is denied access. You can follow the instructions in the ADFS documentation to set up the claims rule.

If the claims are still empty after this please let me know.

Best,

James
Marwen MAJRI 0 Reputation points

2024-01-25T12:50:50.01+00:00

Hi James, we have ADFS as identity provider and we need to create the Conditionnal access in ADFS and not in Azure AD. AD Connect is already in place and device are synced as Hybrid joined in Azure. Device registration and Device Write back are in place but when i create an Access policy in ADFS based on Device, i can't access to any application. Attached a screen of what i want to configure. Many thanks for your Help. BR, Marwen

Share via

Configuring ADFS conditional access

1 answer

Your answer