Workplace Join/Device Registration to Azure AD for Local Domain joined Windows 7 and 2012

The following guide provides step by step procedure how to implement Workplace Join/Device Registration to Azure AD for Conditional Access.

<Prerequisite>
Accounts between On-premise and Azure AD must be synchronized via AAD connect

<System Configuration check>
From DNS server,  
    
From ADFS server,
1. O365 federation
2. Enable device registration
Initialize-ADDeviceRegistration
Enable-AdfsDeviceRegistration
Set-AdfsDeviceRegistration -ServiceAccountIdentifier mfalab3\taehee
Get-AdfsDeviceRegistration
setspn -Q host/fs.mfalab3.com

3. Add claimrules

c:[Type == "http://schemas.microsoft.com/claims/authnmethodsreferences"]
=> issue(claim = c);
Open Powershell and run
Set-AdfsRelyingPartyTrust -TargetName "Microsoft Office 365 Identity Platform" -AllowedAuthenticationClassReferences wiaormultiauthn

From Domain joined Win7,
1. Try login to "https://portal.office.com", enter current login domain user account - "must login in without redirecting ADFS login page!!"
2. Download and Install "Workplace Join agent"
x64
x86
And run "C:\Program Files\Microsoft Workplace Join>AutoWorkplace.exe /join"
To leave, "C:\Program Files\Microsoft Workplace Join>AutoWorkplace.exe /leave"

<Result>
From Win7 and 2012
From Azure Portal

Comments

Post a Comment

Popular posts from this blog

ADFS WAP: How to configure SSO with RDWeb

Image
1.  System Deploy ADFS : th-adfs2012.mfalab3.com ADFS WAP : th-adfs2012wap.mfalab3.com RDWeb : th-rds.mfalab3.com A public IP for ADFS WAP points to ADFS/RDS as well 2.  Setting on ADFS Create a Relying Parth Trust 3.  Setting on ADFS WAP Create WAP Application, Add-WebApplicationProxyApplication -Name 'rdweb' -ExternalUrl 'https://th-rds.mfalab3.com/rdweb/' -BackendServerURL 'https://th-rds.mfalab3.com/rdweb/' -ExternalPreAuthentication ADFS -ADFSRelyingPartyName rdweb1 -ExternalCertificateThumbprint '67D438BDDBB455E53CA83D6F5DEC34CC546F711A' 4.  Setting on RDS Important : Change authentication method to “Windows” https://social.technet.microsoft.com/Forums/office/en-US/999f56fa-a218-41b0-86ee-2845269d93ef/rdweb-authentication?forum=winserverTS 5.  Setting on the Client Computers 6. See how it works
Read more

Secure RDWeb using Azure Multi-Factor Authentication

Image
1. Change RDWeb authentication mode from "Forms" to "Windows" Edit C:\Windows\Web\RDWeb\Pages\web.config     <authentication mode="Windows"/> <!--     <authentication mode="Forms">         <forms loginUrl="default.aspx" name="TSWAAuthHttpOnlyCookie" protection="All" requireSSL="true" />     </authentication> --> . . . <system.webServer> <!--     <modules runAllManagedModulesForAllRequests="true">       <remove name="FormsAuthentication" />       <add name="RDWAFormsAuthenticationModule" type="Microsoft.TerminalServices.Publishing.Portal.FormAuthentication.TSDomainFormsAuthentication" />     </modules>     <security>         <authentication>             <windowsAuthentication enabled="false" />         ...
Read more

Azure: How to unregister and register ADFS Authentication Provider (MFA)

Image
When Azure subscription is changed,due to a provider change, Azure Multi-Factor Authentication(AKA, MFA) must be unregistered and registered again by following method. 1. Un-register MFA provider, on ADFS Global Authentication Policy, uncheck WindowsAzureMultiFactorAuthentication checkbox. Go to PowerShell prompt, then run PS C:\Program Files\Multi-Factor Authentication Server> Unregister-AdfsAuthenticationProvider –Name "WindowsAzureMultiFactorAuthentication" WARNING: PS0103: The authentication provider was successfully unregistered from the policy store.  Restart the A D FS Windows Service on each server in the farm. Restart ADFS services PS C:\Program Files\Multi-Factor Authentication Server> net stop adfssrv The Active Directory Federation Services service is stopping..... The Active Directory Federation Services service was stopped successfully. PS C:\Program Files\Multi-Factor Authentication Server> net start adfssrv The Active Directo...
Read more