Conditional Access with Azure Device Registration Service (aka Workplace Join)
You may be already aware that with Windows Server 2012 R2, Windows 8.1 and ADFS 3.0, Microsoft has introduced a new feature to allow/simplify the BYOD – Bring Your Own Device – and access corporate resources (and corporate Windows App) without being obliged to join the domain, called Workplace Join aka Device Registration.
As companies wants their users become more productive, they’re required to allow more and more personal owned devices to access corporate resources. Device Registration plays a key role in leveraging these scenarios with online services, SaaS applications and corporate resouces called conditional access. Accessing company resources by personal owned devices is becoming the new normal and therefore additional security mitigation like conditional access are introduced. Hereby organization are able to grant access to company resources, online services and SaaS applications, based on how devices are managed.
Just being managed by Microsoft Intune isn’t enough to access company resources or SaaS application. Devices must managed by Microsoft Intune and registered through Azure Device Registration or on-prem Device Registration by ADFS 3.0.
In this blog I’ll show you to configure the successor Azure Device Registration Service, which is currently in public preview.
With Workplace Join, users can remotely register a non-Domain Joined device in Active Directory (AD) to gain secure “single sign-on” access to permitted corporate network resources from a BYOD, or Bring Your Own Device, PC. The Workplace Join process creates a new device object in AD and also installs a certificate on the device. Once Workplace Join is completed for a device, IT Pros can leverage the user’s device authentication as part of a set of conditional access policies to permit access to only authorized network applications and services. These conditional access policies can be used to provide appropriate access to users when accessing resources from a Workplace Joined device versus a fully Domain Joined device. In addition, users can opt-in to Microsoft Intune device management, so that IT Pros can provide users with managed access to applications, including internal LOB apps and links to public app stores, and updates on these devices.
As starting point we assumes you’ve already prepared your local active directory domain and configured DirSync and ADFS as stated belows. For further reference hereby the links preparing you environment in order to enable the use of Workplace Join.
- Deploy Active Directory Domain Services domain with the Windows Server 2012 R2 schema extensions.
- Deploy Windows Server 2012 R2 Federation Services along with the Web Application Proxy.
- Your Active Directory Domain Services forest must be configured with the objects and containers needed to support device objects. You will also enable Device Authentication in AD FS.
- Set up a federation relationship with your organization and Azure Active Directory. This step will walk you through configuring your Azure Active Directory tenant with your Windows Server 2012 R2 Federation Services.
- Configure Directory Sync (DirSync) to allow device object write-back. Devices created in Azure Active Directory will be written down to your Active Directory.
- It is strongly recommended that you configure a multi-factor authentication provider with Windows Server 2012 R2 Federation Services. This will allow your users to securely register their devices using multi-factor authentication.
Configure Azure Device Registration discovery
The following sections describe how to configure your DNS so that devices can discover your Azure Device Registration Service.
Workplace Join client devices will attempt to discover the Device Registration Server by combining the user account name with a well-known Device Registration server name. You must create a DNS CNAME record that points to the A record associated with your Azure Device Registration Service. The CNAME record must use the well-known prefix enterpriseregistration followed by the UPN suffix used by the user accounts at your organization. If your organization uses multiple UPN suffixes, multiple CNAME records must be created in DNS.
For example, if you use two UPN suffixes at your organization named @contoso.com and @region.contoso.com, you will create the following DNS records.
Enable Azure Device Registration
The following section describes how to enable the Azure Device Registration service for your Azure Directory subscription.
- Log on to your Windows Azure Portal as Administrator.
- On the left pane, select Active Directory.
- On the Directory tab, select your directory.
- Select the Configure tab.
- Scroll to the section titled Device Registration
- Select Yes for Enable Workplace Join.
By default, users are required to use two-factor authentication when joining their device. Therefore you must configure a two-factor authentication provider in AD FS. This is covered later in this blog. If you do not wish to require two-factor authentication when joining a device, do the following:
- Scroll down to the section titled Require Multifactor authentication to join devices.
- Select No
Configure the Azure Active Directory relying party trust claim rules
- Open the AD FS management console and navigate to AD FS > Trust Relationships > Relying Party Trusts. Right-click on the Microsoft Office 365 Identity Platform relying party trust object and select Edit Claim Rules…
- On the Issuance Transform Rules tab, select Add Rule.
- Select Send Claims Using a Custom Rule from the Claim rule template drop down box. Select Next
- Type Auth Method Claim Rule in the Claim rule name: text box.
- Type the following claim rule in the Claim rule: text box:
c:[Type == “http://schemas.microsoft.com/claims/authnmethodsreferences“]
=> issue(claim = c);
- Click OK twice to complete the dialog box.
Configure the Azure Active Directory relying party trust Authentication Class Reference
- On your federation server, open a Windows PowerShell command window and type:
Set-AdfsRelyingPartyTrust -TargetName -AllowedAuthenticationClassReferences wiaormultiauthn
Where is the relying party object name for your Azure Active Directory relying party trust object. This object is typically named Microsoft Office 365 Identity Platform.
Join a Windows 8.1 device to your workplace using Azure Device Registration
- On your Windows 8.1 device, navigate to PC Settings > Network > Workplace.
- Enter your user name in UPN format. For example, email@example.com
- Select Join.
- When prompted, sign-in with your credentials.
- As in our tenant Multi-Factor Authentication (MFA) is enabled for device registration we prompted to setup MFA to complete the sign-on process.
- Based on your preference you’ll select a verification method (phone call, text message or PhoneFactor app) to complete the device registration process.
- As we selected authentication by phone as verification method we’l receive a phone call…
- …and confirms by using the pown-key to complete the verification.
- Now your device has succesfully being deployed through Azure Device Registration Service.
- The event viewer (Applications and Services Logs\Microsoft\Windows\Workplace-Join) can be used for throubleshooting purpose and validate whether the process of joining your workplace has been completed succesfully.
- Here is where device registration discovery comes in. During the registration proces the device is associated with the User ID used. The domain part of the UPN suffix (@ronnydejong.com) is used to query the device registration service (https://enterpriseregistration.ronnydejong.com).
- As we created a CNAME the device registration query initiated from the device, will be forwarded to Azure Device Registration service (https://enterpriseregistration.windows.net)
- Azure Device Registration web services will receive the query and completes the registration process.
- During the device registration process a computer certificate is created on your device which can be used to identify the device for MFA or conditional access purpose.
- When devices registered succesfully – these will show up in your Azure Directory as part of the user properties. As you can see I’ve joined multiple devices vary from Windows 8.1, Windows RT and iOS.
Configure DirSync to allow device object write-back
You must configure Directory Sync (DirSync) to allow device object write-back. Devices created in Azure Active Directory will be written down to your Active Directory. Devices created in Azure Active Directory may take up to 3 hours before they are written back to Active Directory.
NOTE You must be logged on with enterprise administrator permissions to complete the following procedure.
NOTE the Directory Synchronization tool version used for this service must be 1.6862.0000 or higher.
If you have just completed the DirSync installation wizard, sign-out and then sign-in before continuing. This will ensure you have an updated access token.
- On your directory sync server, open a Windows PowerShell command window and issue the following commands:
- Import-Module DirSync
- $AADCreds = Get-Credential
- $ADCreds = Get-Credential
- When prompted for credentials, type your cloud service administrator account credentials and your Active Directory administrator credentials.
Enable-MSOnlineObjectManagement –ObjectTypes Device –TargetCredential $AADCreds -Credential $ADCreds
- Below we can see that the devices registered through Azure Device Registration service came down to our local Active Directory.
- Properties of workplace joined devices in your local Active Directory
As you noticed this isn’t the best UX, but no worries…PowerShell is here to help you and make these GUID’s human readable. This tool can be downloaded from Technet Gallery here. For more background information read this blog of Kenny Buntinx.
Disable unused device clean up
When a registered device is retired, disabled or disjoined the active directory object created on initial registration isn’t removed automatically. This could end up in numberous obsolete objects. Using the following PowerShell command to set a device MaximumInactiveDays property to set the number of days objects are getting removed from active directory.
- On your federation server, open a Windows PowerShell command window and type:
Set-AdfsDeviceRegistration -MaximumInactiveDays 0
Azure Device Registration Services put the next step to allow/simplify the BYOD – Bring Your Own Device – and access corporate resources, online services with both company- and personal owned devices. Where Azure Device Registration Services now is a manual step – the expectation is that device registration like MFA now, becomes by default available to Microsoft Intune without requireing additional steps as described in this blog.