ADFS Multidomain Hybrid-Join

MJ 21 Reputation points
2021-02-14T07:48:09.193+00:00

Hi,

We have a ADFS farm for different Azure Tenants with the -multidomain parameter and are trying to implement Hybrid-Join. The automatic Hybrid join is working when pointing the below Claim Issuance Policy to one valided domain. Because we having different valided domains from different tenants this method does not seems to be multitenant. I am wondering if it is somehow possible to change or edit the claim to support multiple validated domains from different Tenants. When i just copy the claim and point it to another validated domain from another tenant the automatic Hybrid join is failing and is only working when AD Sync has run. Because we are using non-persistent VDI's we want the automatic Azure AD join to work so the device is already Hybrid-joined before a user login.

Issue issuerID for domain-joined computers

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "-515$", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"]
=> issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value = "http://VALIDATEDDOMAIN/adfs/services/trust/");

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,292 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,164 questions
{count} votes

Accepted answer
  1. VipulSparsh-MSFT 16,296 Reputation points Microsoft Employee
    2021-02-19T07:29:42.193+00:00

    @MJ You will have to modify claims rules so that they know specific VDI host needs to go to specific tenant, which issuerID claim to issue.

    http://VALIDATEDDOMAIN/adfs/services/trust/ needs to be one of issuerIDs on one of federated domains in a target tenant. So there will need to be more conditions in that issuance urls and just filtering on SID of domain computers group is not enough.

    You can duplicate the rule so that it look like this

    c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid";, Value =~ "-515$", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"] && c2:[identify OU for target tenant]
    => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid";, Value = "http://hardcodedtargetdomainname/adfs/services/trust/");"

    You will need to have it however many times you have target tenants.

    -----------------------------------------------------------------------------------------------------------------

    If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.