From 090686b47b406907987dd74c82663047f6563cbc Mon Sep 17 00:00:00 2001 From: Jose Ortega Date: Mon, 20 May 2019 23:50:41 -0500 Subject: [PATCH 01/21] Added important note to solve #3421 --- .../hello-hybrid-cert-trust-devreg.md | 419 +++++++++--------- 1 file changed, 211 insertions(+), 208 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index 38abf0762f..89e091fa17 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -41,6 +41,9 @@ Use this three-phased approach for configuring device registration. > > You can learn about this and more by reading [Introduction to Device Management in Azure Active Directory.](https://docs.microsoft.com/azure/active-directory/device-management-introduction) + +>[!IMPORTANT] +> To use Hybrid Identity with Azure Active Directory (HIAAD) and device WriteBack features you must use the in-built GUI with the [latest updates for ADConnect.](https://www.microsoft.com/download/details.aspx?id=47594) ## Configure Azure for Device Registration Begin configuring device registration to support Hybrid Windows Hello for Business by configuring device registration capabilities in Azure AD. @@ -117,8 +120,8 @@ If your AD FS farm is not already configured for Device Authentication (you can ![Device Registration](images/hybridct/device2.png) 2. On your AD FS primary server, ensure you are logged in as AD DS user with enterprise administrator privileges and open an elevated Windows PowerShell prompt. Then, run the following commands: - - `Import-module activedirectory` + + `Import-module activedirectory` `PS C:\> Initialize-ADDeviceRegistration -ServiceAccountName "" ` 3. On the pop-up window click **Yes**. @@ -143,7 +146,7 @@ The above PSH creates the following objects: ### Create Service Connection Point (SCP) in Active Directory If you plan to use Windows 10 domain join (with automatic registration to Azure AD) as described here, execute the following commands to create a service connection point in AD DS 1. Open Windows PowerShell and execute the following: - + `PS C:>Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1" ` > [!NOTE] @@ -159,7 +162,7 @@ If you plan to use Windows 10 domain join (with automatic registration to Azure 3. Run the following PowerShell command - `PS C:>Initialize-ADSyncDomainJoinedComputerSync -AdConnectorAccount [AD connector account name] -AzureADCredentials $aadAdminCred ` + `PS C:>Initialize-ADSyncDomainJoinedComputerSync -AdConnectorAccount [AD connector account name] -AzureADCredentials $aadAdminCred ` Where the [AD connector account name] is the name of the account you configured in Azure AD Connect when adding your on-premises AD DS directory. @@ -170,7 +173,7 @@ To ensure AD DS objects and containers are in the correct state for write back o 1. Open Windows PowerShell and execute the following: - `PS C:>Initialize-ADSyncDeviceWriteBack -DomainName -AdConnectorAccount [AD connector account name] ` + `PS C:>Initialize-ADSyncDeviceWriteBack -DomainName -AdConnectorAccount [AD connector account name] ` Where the [AD connector account name] is the name of the account you configured in Azure AD Connect when adding your on-premises AD DS directory in domain\accountname format @@ -223,100 +226,100 @@ The definition helps you to verify whether the values are present or if you need **`http://schemas.microsoft.com/ws/2012/01/accounttype`** - This claim must contain a value of **DJ**, which identifies the device as a domain-joined computer. In AD FS, you can add an issuance transform rule that looks like this: - @RuleName = "Issue account type for domain-joined computers" - c:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", - Value =~ "-515$", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - => issue( - Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", - Value = "DJ" - ); + @RuleName = "Issue account type for domain-joined computers" + c:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", + Value =~ "-515$", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + => issue( + Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", + Value = "DJ" + ); #### Issue objectGUID of the computer account on-premises **`http://schemas.microsoft.com/identity/claims/onpremobjectguid`** - This claim must contain the **objectGUID** value of the on-premises computer account. In AD FS, you can add an issuance transform rule that looks like this: - @RuleName = "Issue object GUID for domain-joined computers" - c1:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", - Value =~ "-515$", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - && - c2:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - => issue( - store = "Active Directory", - types = ("http://schemas.microsoft.com/identity/claims/onpremobjectguid"), - query = ";objectguid;{0}", - param = c2.Value - ); + @RuleName = "Issue object GUID for domain-joined computers" + c1:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", + Value =~ "-515$", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + && + c2:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + => issue( + store = "Active Directory", + types = ("http://schemas.microsoft.com/identity/claims/onpremobjectguid"), + query = ";objectguid;{0}", + param = c2.Value + ); #### Issue objectSID of the computer account on-premises **`http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid`** - This claim must contain the **objectSid** value of the on-premises computer account. In AD FS, you can add an issuance transform rule that looks like this: - @RuleName = "Issue objectSID for domain-joined computers" - c1:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", - Value =~ "-515$", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - && - c2:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - => issue(claim = c2); + @RuleName = "Issue objectSID for domain-joined computers" + c1:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", + Value =~ "-515$", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + && + c2:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + => issue(claim = c2); #### Issue issuerID for computer when multiple verified domain names in Azure AD **`http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid`** - This claim must contain the Uniform Resource Identifier (URI) of any of the verified domain names that connect with the on-premises federation service (AD FS or 3rd party) issuing the token. In AD FS, you can add issuance transform rules that look like the ones below in that specific order after the ones above. Please note that one rule to explicitly issue the rule for users is necessary. In the rules below, a first rule identifying user vs. computer authentication is added. - @RuleName = "Issue account type with the value User when its not a computer" - NOT EXISTS( - [ - Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", - Value == "DJ" - ] - ) - => add( - Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", - Value = "User" - ); - - @RuleName = "Capture UPN when AccountType is User and issue the IssuerID" - c1:[ - Type == "http://schemas.xmlsoap.org/claims/UPN" - ] - && - c2:[ - Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", - Value == "User" - ] - => issue( - Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", - Value = regexreplace( - c1.Value, - ".+@(?.+)", - "http://${domain}/adfs/services/trust/" - ) - ); - - @RuleName = "Issue issuerID for domain-joined computers" - c:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", - Value =~ "-515$", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - => issue( - Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", - Value = "http:///adfs/services/trust/" - ); + @RuleName = "Issue account type with the value User when its not a computer" + NOT EXISTS( + [ + Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", + Value == "DJ" + ] + ) + => add( + Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", + Value = "User" + ); + + @RuleName = "Capture UPN when AccountType is User and issue the IssuerID" + c1:[ + Type == "http://schemas.xmlsoap.org/claims/UPN" + ] + && + c2:[ + Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", + Value == "User" + ] + => issue( + Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", + Value = regexreplace( + c1.Value, + ".+@(?.+)", + "http://${domain}/adfs/services/trust/" + ) + ); + + @RuleName = "Issue issuerID for domain-joined computers" + c:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", + Value =~ "-515$", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + => issue( + Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", + Value = "http:///adfs/services/trust/" + ); In the claim above, @@ -331,138 +334,138 @@ To get a list of your verified company domains, you can use the [Get-MsolDomain] **`http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID`** - This claim must contain a valid value for computers. In AD FS, you can create an issuance transform rule as follows: - @RuleName = "Issue ImmutableID for computers" - c1:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", - Value =~ "-515$", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - && - c2:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - => issue( - store = "Active Directory", - types = ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), - query = ";objectguid;{0}", - param = c2.Value - ); + @RuleName = "Issue ImmutableID for computers" + c1:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", + Value =~ "-515$", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + && + c2:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + => issue( + store = "Active Directory", + types = ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), + query = ";objectguid;{0}", + param = c2.Value + ); #### Helper script to create the AD FS issuance transform rules The following script helps you with the creation of the issuance transform rules described above. $multipleVerifiedDomainNames = $false - $immutableIDAlreadyIssuedforUsers = $false - $oneOfVerifiedDomainNames = 'example.com' # Replace example.com with one of your verified domains - - $rule1 = '@RuleName = "Issue account type for domain-joined computers" - c:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", - Value =~ "-515$", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - => issue( - Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", - Value = "DJ" - );' + $immutableIDAlreadyIssuedforUsers = $false + $oneOfVerifiedDomainNames = 'example.com' # Replace example.com with one of your verified domains + + $rule1 = '@RuleName = "Issue account type for domain-joined computers" + c:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", + Value =~ "-515$", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + => issue( + Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", + Value = "DJ" + );' - $rule2 = '@RuleName = "Issue object GUID for domain-joined computers" - c1:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", - Value =~ "-515$", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - && - c2:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - => issue( - store = "Active Directory", - types = ("http://schemas.microsoft.com/identity/claims/onpremobjectguid"), - query = ";objectguid;{0}", - param = c2.Value - );' + $rule2 = '@RuleName = "Issue object GUID for domain-joined computers" + c1:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", + Value =~ "-515$", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + && + c2:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + => issue( + store = "Active Directory", + types = ("http://schemas.microsoft.com/identity/claims/onpremobjectguid"), + query = ";objectguid;{0}", + param = c2.Value + );' - $rule3 = '@RuleName = "Issue objectSID for domain-joined computers" - c1:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", - Value =~ "-515$", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - && - c2:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - => issue(claim = c2);' + $rule3 = '@RuleName = "Issue objectSID for domain-joined computers" + c1:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", + Value =~ "-515$", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + && + c2:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + => issue(claim = c2);' - $rule4 = '' - if ($multipleVerifiedDomainNames -eq $true) { - $rule4 = '@RuleName = "Issue account type with the value User when it is not a computer" - NOT EXISTS( - [ - Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", - Value == "DJ" - ] - ) - => add( - Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", - Value = "User" - ); - - @RuleName = "Capture UPN when AccountType is User and issue the IssuerID" - c1:[ - Type == "http://schemas.xmlsoap.org/claims/UPN" - ] - && - c2:[ - Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", - Value == "User" - ] - => issue( - Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", - Value = regexreplace( - c1.Value, - ".+@(?.+)", - "http://${domain}/adfs/services/trust/" - ) - ); - - @RuleName = "Issue issuerID for domain-joined computers" - c:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", - Value =~ "-515$", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - => issue( - Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", - Value = "http://' + $oneOfVerifiedDomainNames + '/adfs/services/trust/" - );' - } + $rule4 = '' + if ($multipleVerifiedDomainNames -eq $true) { + $rule4 = '@RuleName = "Issue account type with the value User when it is not a computer" + NOT EXISTS( + [ + Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", + Value == "DJ" + ] + ) + => add( + Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", + Value = "User" + ); + + @RuleName = "Capture UPN when AccountType is User and issue the IssuerID" + c1:[ + Type == "http://schemas.xmlsoap.org/claims/UPN" + ] + && + c2:[ + Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", + Value == "User" + ] + => issue( + Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", + Value = regexreplace( + c1.Value, + ".+@(?.+)", + "http://${domain}/adfs/services/trust/" + ) + ); + + @RuleName = "Issue issuerID for domain-joined computers" + c:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", + Value =~ "-515$", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + => issue( + Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", + Value = "http://' + $oneOfVerifiedDomainNames + '/adfs/services/trust/" + );' + } - $rule5 = '' - if ($immutableIDAlreadyIssuedforUsers -eq $true) { - $rule5 = '@RuleName = "Issue ImmutableID for computers" - c1:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", - Value =~ "-515$", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - && - c2:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - => issue( - store = "Active Directory", - types = ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), - query = ";objectguid;{0}", - param = c2.Value - );' - } + $rule5 = '' + if ($immutableIDAlreadyIssuedforUsers -eq $true) { + $rule5 = '@RuleName = "Issue ImmutableID for computers" + c1:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", + Value =~ "-515$", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + && + c2:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + => issue( + store = "Active Directory", + types = ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), + query = ";objectguid;{0}", + param = c2.Value + );' + } $existingRules = (Get-ADFSRelyingPartyTrust -Identifier urn:federation:MicrosoftOnline).IssuanceTransformRules @@ -479,8 +482,8 @@ The following script helps you with the creation of the issuance transform rules - If you have multiple verified domain names (as shown in the Azure AD portal or via the Get-MsolDomains cmdlet), set the value of **$multipleVerifiedDomainNames** in the script to **$true**. Also make sure that you remove any existing issuerid claim that might have been created by Azure AD Connect or via other means. Here is an example for this rule: - c:[Type == "http://schemas.xmlsoap.org/claims/UPN"] - => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value = regexreplace(c.Value, ".+@(?.+)", "http://${domain}/adfs/services/trust/")); + c:[Type == "http://schemas.xmlsoap.org/claims/UPN"] + => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value = regexreplace(c.Value, ".+@(?.+)", "http://${domain}/adfs/services/trust/")); - If you have already issued an **ImmutableID** claim for user accounts, set the value of **$immutableIDAlreadyIssuedforUsers** in the script to **$true**. From fd73c7439bc52b28fe6dc1511bbfb1e9d33dd7d0 Mon Sep 17 00:00:00 2001 From: Jose Gabriel Ortega Castro Date: Tue, 21 May 2019 10:42:05 -0500 Subject: [PATCH 02/21] Update windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-cert-trust-devreg.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index 89e091fa17..dd32a11521 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -43,7 +43,7 @@ Use this three-phased approach for configuring device registration. >[!IMPORTANT] -> To use Hybrid Identity with Azure Active Directory (HIAAD) and device WriteBack features you must use the in-built GUI with the [latest updates for ADConnect.](https://www.microsoft.com/download/details.aspx?id=47594) +> To use Hybrid Identity with Azure Active Directory (HIAAD) and device WriteBack features, you must use the built-in GUI with the [latest updates for ADConnect.](https://www.microsoft.com/download/details.aspx?id=47594) ## Configure Azure for Device Registration Begin configuring device registration to support Hybrid Windows Hello for Business by configuring device registration capabilities in Azure AD. From 777f208e490b3b280c2ba416e800e96027d6f2bc Mon Sep 17 00:00:00 2001 From: Jose Gabriel Ortega Castro Date: Tue, 21 May 2019 10:42:15 -0500 Subject: [PATCH 03/21] Update windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-cert-trust-devreg.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index dd32a11521..58a389dff3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -280,7 +280,7 @@ The definition helps you to verify whether the values are present or if you need **`http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid`** - This claim must contain the Uniform Resource Identifier (URI) of any of the verified domain names that connect with the on-premises federation service (AD FS or 3rd party) issuing the token. In AD FS, you can add issuance transform rules that look like the ones below in that specific order after the ones above. Please note that one rule to explicitly issue the rule for users is necessary. In the rules below, a first rule identifying user vs. computer authentication is added. - @RuleName = "Issue account type with the value User when its not a computer" + @RuleName = "Issue account type with the value User when it's not a computer" NOT EXISTS( [ Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", From c850a3fbc0fe20a98d435f8a96ae8985388ea5eb Mon Sep 17 00:00:00 2001 From: Jose Gabriel Ortega Castro Date: Tue, 21 May 2019 14:27:35 -0500 Subject: [PATCH 04/21] Removing extra . Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-cert-trust-devreg.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index 58a389dff3..f189e7c6dd 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -43,7 +43,7 @@ Use this three-phased approach for configuring device registration. >[!IMPORTANT] -> To use Hybrid Identity with Azure Active Directory (HIAAD) and device WriteBack features, you must use the built-in GUI with the [latest updates for ADConnect.](https://www.microsoft.com/download/details.aspx?id=47594) +> To use Hybrid Identity with Azure Active Directory (HIAAD) and device WriteBack features, you must use the built-in GUI with the [latest updates for ADConnect](https://www.microsoft.com/download/details.aspx?id=47594). ## Configure Azure for Device Registration Begin configuring device registration to support Hybrid Windows Hello for Business by configuring device registration capabilities in Azure AD. From 6e2e41ea455c234d994d07cc988ef280c9681074 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Thu, 23 May 2019 15:49:27 -0700 Subject: [PATCH 05/21] Update hello-hybrid-cert-trust-devreg.md --- .../hello-for-business/hello-hybrid-cert-trust-devreg.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index f189e7c6dd..099f3efb96 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -43,7 +43,8 @@ Use this three-phased approach for configuring device registration. >[!IMPORTANT] -> To use Hybrid Identity with Azure Active Directory (HIAAD) and device WriteBack features, you must use the built-in GUI with the [latest updates for ADConnect](https://www.microsoft.com/download/details.aspx?id=47594). +> To use hybrid identity with Azure Active Directory and device WriteBack features, you must use the built-in GUI with the [latest updates for ADConnect](https://www.microsoft.com/download/details.aspx?id=47594). + ## Configure Azure for Device Registration Begin configuring device registration to support Hybrid Windows Hello for Business by configuring device registration capabilities in Azure AD. @@ -68,7 +69,7 @@ To locate the schema master role holder, open and command prompt and type: ![Netdom example output](images/hello-cmd-netdom.png) -The command should return the name of the domain controller where you need to adprep.exe. Update the schema locally on the domain controller hosting the Schema master role. +The command should return the name of the domain controller where you need to run adprep.exe. Update the schema locally on the domain controller hosting the Schema master role. #### Updating the Schema From 96786f98ad342c1a844d06a64f589fc4b830e05a Mon Sep 17 00:00:00 2001 From: Jose Ortega Date: Wed, 29 May 2019 02:27:38 -0500 Subject: [PATCH 06/21] update --- .../hello-for-business/hello-hybrid-cert-trust-devreg.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index 89e091fa17..1106715cb5 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -504,7 +504,7 @@ For your reference, below is a comprehensive list of the AD DS devices, containe ![Device Registration](images/hybridct/device8.png) - object of type serviceConnectionpoint at CN=<guid>, CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=<domain> - - read/write access to the specified AD connector account name on the new object +- read/write access to the specified AD connector account name on the new object - object of type msDS-DeviceRegistrationServiceContainer at CN=Device Registration Services,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=<domain> - object of type msDS-DeviceRegistrationService in the above container From c9dc3973805e5eea709a80dff030fcfa226087b3 Mon Sep 17 00:00:00 2001 From: Jose Ortega Date: Thu, 30 May 2019 11:17:57 -0500 Subject: [PATCH 07/21] Update with link + remove tab for 4 spaces. --- .../hello-hybrid-cert-trust-devreg.md | 455 +++++++++--------- 1 file changed, 229 insertions(+), 226 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index 8ed0c57537..67f71d8749 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -28,6 +28,9 @@ Your environment is federated and you are ready to configure device registration > [!IMPORTANT] > If your environment is not federated, review the [New Installation baseline](hello-hybrid-cert-new-install.md) section of this deployment document to learn how to federate your environment for your Windows Hello for Business deployment. +>[!IMPORTANT] +> The identity team has simpolified the join flow for Azure AD device registration, the tutorial can be found [here](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-federated-domains). + Use this three-phased approach for configuring device registration. 1. [Configure devices to register in Azure](#configure-azure-for-device-registration) 2. [Synchronize devices to on-premises Active Directory](#configure-active-directory-to-support-azure-device-synchronization) @@ -121,9 +124,9 @@ If your AD FS farm is not already configured for Device Authentication (you can ![Device Registration](images/hybridct/device2.png) 2. On your AD FS primary server, ensure you are logged in as AD DS user with enterprise administrator privileges and open an elevated Windows PowerShell prompt. Then, run the following commands: - - `Import-module activedirectory` - `PS C:\> Initialize-ADDeviceRegistration -ServiceAccountName "" ` + + `Import-module activedirectory` + `PS C:\> Initialize-ADDeviceRegistration -ServiceAccountName "" ` 3. On the pop-up window click **Yes**. > [!NOTE] @@ -147,8 +150,8 @@ The above PSH creates the following objects: ### Create Service Connection Point (SCP) in Active Directory If you plan to use Windows 10 domain join (with automatic registration to Azure AD) as described here, execute the following commands to create a service connection point in AD DS 1. Open Windows PowerShell and execute the following: - - `PS C:>Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1" ` + + `PS C:>Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1" ` > [!NOTE] > If necessary, copy the AdSyncPrep.psm1 file from your Azure AD Connect server. This file is located in Program Files\Microsoft Azure Active Directory Connect\AdPrep @@ -157,13 +160,13 @@ If you plan to use Windows 10 domain join (with automatic registration to Azure 2. Provide your Azure AD global administrator credentials - `PS C:>$aadAdminCred = Get-Credential` + `PS C:>$aadAdminCred = Get-Credential` ![Device Registration](images/hybridct/device7.png) 3. Run the following PowerShell command - `PS C:>Initialize-ADSyncDomainJoinedComputerSync -AdConnectorAccount [AD connector account name] -AzureADCredentials $aadAdminCred ` + `PS C:>Initialize-ADSyncDomainJoinedComputerSync -AdConnectorAccount [AD connector account name] -AzureADCredentials $aadAdminCred ` Where the [AD connector account name] is the name of the account you configured in Azure AD Connect when adding your on-premises AD DS directory. @@ -174,7 +177,7 @@ To ensure AD DS objects and containers are in the correct state for write back o 1. Open Windows PowerShell and execute the following: - `PS C:>Initialize-ADSyncDeviceWriteBack -DomainName -AdConnectorAccount [AD connector account name] ` + `PS C:>Initialize-ADSyncDeviceWriteBack -DomainName -AdConnectorAccount [AD connector account name] ` Where the [AD connector account name] is the name of the account you configured in Azure AD Connect when adding your on-premises AD DS directory in domain\accountname format @@ -227,100 +230,100 @@ The definition helps you to verify whether the values are present or if you need **`http://schemas.microsoft.com/ws/2012/01/accounttype`** - This claim must contain a value of **DJ**, which identifies the device as a domain-joined computer. In AD FS, you can add an issuance transform rule that looks like this: - @RuleName = "Issue account type for domain-joined computers" - c:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", - Value =~ "-515$", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - => issue( - Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", - Value = "DJ" - ); + @RuleName = "Issue account type for domain-joined computers" + c:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", + Value =~ "-515$", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + => issue( + Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", + Value = "DJ" + ); #### Issue objectGUID of the computer account on-premises **`http://schemas.microsoft.com/identity/claims/onpremobjectguid`** - This claim must contain the **objectGUID** value of the on-premises computer account. In AD FS, you can add an issuance transform rule that looks like this: - @RuleName = "Issue object GUID for domain-joined computers" - c1:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", - Value =~ "-515$", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - && - c2:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - => issue( - store = "Active Directory", - types = ("http://schemas.microsoft.com/identity/claims/onpremobjectguid"), - query = ";objectguid;{0}", - param = c2.Value - ); + @RuleName = "Issue object GUID for domain-joined computers" + c1:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", + Value =~ "-515$", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + && + c2:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + => issue( + store = "Active Directory", + types = ("http://schemas.microsoft.com/identity/claims/onpremobjectguid"), + query = ";objectguid;{0}", + param = c2.Value + ); #### Issue objectSID of the computer account on-premises **`http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid`** - This claim must contain the **objectSid** value of the on-premises computer account. In AD FS, you can add an issuance transform rule that looks like this: - @RuleName = "Issue objectSID for domain-joined computers" - c1:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", - Value =~ "-515$", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - && - c2:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - => issue(claim = c2); + @RuleName = "Issue objectSID for domain-joined computers" + c1:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", + Value =~ "-515$", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + && + c2:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + => issue(claim = c2); #### Issue issuerID for computer when multiple verified domain names in Azure AD **`http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid`** - This claim must contain the Uniform Resource Identifier (URI) of any of the verified domain names that connect with the on-premises federation service (AD FS or 3rd party) issuing the token. In AD FS, you can add issuance transform rules that look like the ones below in that specific order after the ones above. Please note that one rule to explicitly issue the rule for users is necessary. In the rules below, a first rule identifying user vs. computer authentication is added. - @RuleName = "Issue account type with the value User when it's not a computer" - NOT EXISTS( - [ - Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", - Value == "DJ" - ] - ) - => add( - Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", - Value = "User" - ); - - @RuleName = "Capture UPN when AccountType is User and issue the IssuerID" - c1:[ - Type == "http://schemas.xmlsoap.org/claims/UPN" - ] - && - c2:[ - Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", - Value == "User" - ] - => issue( - Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", - Value = regexreplace( - c1.Value, - ".+@(?.+)", - "http://${domain}/adfs/services/trust/" - ) - ); - - @RuleName = "Issue issuerID for domain-joined computers" - c:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", - Value =~ "-515$", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - => issue( - Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", - Value = "http:///adfs/services/trust/" - ); + @RuleName = "Issue account type with the value User when it's not a computer" + NOT EXISTS( + [ + Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", + Value == "DJ" + ] + ) + => add( + Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", + Value = "User" + ); + + @RuleName = "Capture UPN when AccountType is User and issue the IssuerID" + c1:[ + Type == "http://schemas.xmlsoap.org/claims/UPN" + ] + && + c2:[ + Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", + Value == "User" + ] + => issue( + Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", + Value = regexreplace( + c1.Value, + ".+@(?.+)", + "http://${domain}/adfs/services/trust/" + ) + ); + + @RuleName = "Issue issuerID for domain-joined computers" + c:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", + Value =~ "-515$", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + => issue( + Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", + Value = "http:///adfs/services/trust/" + ); In the claim above, @@ -335,146 +338,146 @@ To get a list of your verified company domains, you can use the [Get-MsolDomain] **`http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID`** - This claim must contain a valid value for computers. In AD FS, you can create an issuance transform rule as follows: - @RuleName = "Issue ImmutableID for computers" - c1:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", - Value =~ "-515$", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - && - c2:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - => issue( - store = "Active Directory", - types = ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), - query = ";objectguid;{0}", - param = c2.Value - ); + @RuleName = "Issue ImmutableID for computers" + c1:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", + Value =~ "-515$", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + && + c2:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + => issue( + store = "Active Directory", + types = ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), + query = ";objectguid;{0}", + param = c2.Value + ); #### Helper script to create the AD FS issuance transform rules The following script helps you with the creation of the issuance transform rules described above. - $multipleVerifiedDomainNames = $false - $immutableIDAlreadyIssuedforUsers = $false - $oneOfVerifiedDomainNames = 'example.com' # Replace example.com with one of your verified domains - - $rule1 = '@RuleName = "Issue account type for domain-joined computers" - c:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", - Value =~ "-515$", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - => issue( - Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", - Value = "DJ" - );' - - $rule2 = '@RuleName = "Issue object GUID for domain-joined computers" - c1:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", - Value =~ "-515$", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - && - c2:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - => issue( - store = "Active Directory", - types = ("http://schemas.microsoft.com/identity/claims/onpremobjectguid"), - query = ";objectguid;{0}", - param = c2.Value - );' - - $rule3 = '@RuleName = "Issue objectSID for domain-joined computers" - c1:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", - Value =~ "-515$", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - && - c2:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - => issue(claim = c2);' - - $rule4 = '' - if ($multipleVerifiedDomainNames -eq $true) { - $rule4 = '@RuleName = "Issue account type with the value User when it is not a computer" - NOT EXISTS( - [ - Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", - Value == "DJ" - ] - ) - => add( - Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", - Value = "User" - ); - - @RuleName = "Capture UPN when AccountType is User and issue the IssuerID" - c1:[ - Type == "http://schemas.xmlsoap.org/claims/UPN" - ] - && - c2:[ - Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", - Value == "User" - ] - => issue( - Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", - Value = regexreplace( - c1.Value, - ".+@(?.+)", - "http://${domain}/adfs/services/trust/" - ) - ); - - @RuleName = "Issue issuerID for domain-joined computers" - c:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", - Value =~ "-515$", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - => issue( - Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", - Value = "http://' + $oneOfVerifiedDomainNames + '/adfs/services/trust/" - );' - } - - $rule5 = '' - if ($immutableIDAlreadyIssuedforUsers -eq $true) { - $rule5 = '@RuleName = "Issue ImmutableID for computers" - c1:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", - Value =~ "-515$", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - && - c2:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - => issue( - store = "Active Directory", - types = ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), - query = ";objectguid;{0}", - param = c2.Value - );' - } - - $existingRules = (Get-ADFSRelyingPartyTrust -Identifier urn:federation:MicrosoftOnline).IssuanceTransformRules - - $updatedRules = $existingRules + $rule1 + $rule2 + $rule3 + $rule4 + $rule5 - - $crSet = New-ADFSClaimRuleSet -ClaimRule $updatedRules - - Set-AdfsRelyingPartyTrust -TargetIdentifier urn:federation:MicrosoftOnline -IssuanceTransformRules $crSet.ClaimRulesString + $multipleVerifiedDomainNames = $false + $immutableIDAlreadyIssuedforUsers = $false + $oneOfVerifiedDomainNames = 'example.com' # Replace example.com with one of your verified domains + + $rule1 = '@RuleName = "Issue account type for domain-joined computers" + c:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", + Value =~ "-515$", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + => issue( + Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", + Value = "DJ" + );' + + $rule2 = '@RuleName = "Issue object GUID for domain-joined computers" + c1:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", + Value =~ "-515$", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + && + c2:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + => issue( + store = "Active Directory", + types = ("http://schemas.microsoft.com/identity/claims/onpremobjectguid"), + query = ";objectguid;{0}", + param = c2.Value + );' + + $rule3 = '@RuleName = "Issue objectSID for domain-joined computers" + c1:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", + Value =~ "-515$", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + && + c2:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + => issue(claim = c2);' + + $rule4 = '' + if ($multipleVerifiedDomainNames -eq $true) { + $rule4 = '@RuleName = "Issue account type with the value User when it is not a computer" + NOT EXISTS( + [ + Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", + Value == "DJ" + ] + ) + => add( + Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", + Value = "User" + ); + + @RuleName = "Capture UPN when AccountType is User and issue the IssuerID" + c1:[ + Type == "http://schemas.xmlsoap.org/claims/UPN" + ] + && + c2:[ + Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", + Value == "User" + ] + => issue( + Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", + Value = regexreplace( + c1.Value, + ".+@(?.+)", + "http://${domain}/adfs/services/trust/" + ) + ); + + @RuleName = "Issue issuerID for domain-joined computers" + c:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", + Value =~ "-515$", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + => issue( + Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", + Value = "http://' + $oneOfVerifiedDomainNames + '/adfs/services/trust/" + );' + } + + $rule5 = '' + if ($immutableIDAlreadyIssuedforUsers -eq $true) { + $rule5 = '@RuleName = "Issue ImmutableID for computers" + c1:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", + Value =~ "-515$", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + && + c2:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + => issue( + store = "Active Directory", + types = ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), + query = ";objectguid;{0}", + param = c2.Value + );' + } + + $existingRules = (Get-ADFSRelyingPartyTrust -Identifier urn:federation:MicrosoftOnline).IssuanceTransformRules + + $updatedRules = $existingRules + $rule1 + $rule2 + $rule3 + $rule4 + $rule5 + + $crSet = New-ADFSClaimRuleSet -ClaimRule $updatedRules + + Set-AdfsRelyingPartyTrust -TargetIdentifier urn:federation:MicrosoftOnline -IssuanceTransformRules $crSet.ClaimRulesString #### Remarks @@ -483,8 +486,8 @@ The following script helps you with the creation of the issuance transform rules - If you have multiple verified domain names (as shown in the Azure AD portal or via the Get-MsolDomains cmdlet), set the value of **$multipleVerifiedDomainNames** in the script to **$true**. Also make sure that you remove any existing issuerid claim that might have been created by Azure AD Connect or via other means. Here is an example for this rule: - c:[Type == "http://schemas.xmlsoap.org/claims/UPN"] - => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value = regexreplace(c.Value, ".+@(?.+)", "http://${domain}/adfs/services/trust/")); + c:[Type == "http://schemas.xmlsoap.org/claims/UPN"] + => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value = regexreplace(c.Value, ".+@(?.+)", "http://${domain}/adfs/services/trust/")); - If you have already issued an **ImmutableID** claim for user accounts, set the value of **$immutableIDAlreadyIssuedforUsers** in the script to **$true**. @@ -497,8 +500,8 @@ Using an elevated PowerShell command window, configure AD FS policy by executing For your reference, below is a comprehensive list of the AD DS devices, containers and permissions required for device write-back and authentication to work - object of type ms-DS-DeviceContainer at CN=RegisteredDevices,DC=<domain> - - read access to the AD FS service account - - read/write access to the Azure AD Connect sync AD connector account + - read access to the AD FS service account + - read/write access to the Azure AD Connect sync AD connector account - Container CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=<domain> - Container Device Registration Service DKM under the above container From 2ce723b45c28ce2d21a9ed88f1f91a84e6e379bc Mon Sep 17 00:00:00 2001 From: Jose Gabriel Ortega Castro Date: Thu, 30 May 2019 15:10:52 -0500 Subject: [PATCH 08/21] Update windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-cert-trust-devreg.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index 67f71d8749..d5c7899982 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -374,7 +374,6 @@ The following script helps you with the creation of the issuance transform rules Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", Value = "DJ" );' - $rule2 = '@RuleName = "Issue object GUID for domain-joined computers" c1:[ Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", From 039e1fc155505f504977bf86625923c2b6d46e90 Mon Sep 17 00:00:00 2001 From: Jose Gabriel Ortega Castro Date: Thu, 30 May 2019 15:11:03 -0500 Subject: [PATCH 09/21] Update windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-cert-trust-devreg.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index d5c7899982..355f26a044 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -391,7 +391,6 @@ The following script helps you with the creation of the issuance transform rules query = ";objectguid;{0}", param = c2.Value );' - $rule3 = '@RuleName = "Issue objectSID for domain-joined computers" c1:[ Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", From 4b6872f6717ef14a6e90660b56eac4e2676e39f4 Mon Sep 17 00:00:00 2001 From: Jose Gabriel Ortega Castro Date: Thu, 30 May 2019 15:11:10 -0500 Subject: [PATCH 10/21] Update windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-cert-trust-devreg.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index 355f26a044..57f74f6c6e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -468,7 +468,6 @@ The following script helps you with the creation of the issuance transform rules param = c2.Value );' } - $existingRules = (Get-ADFSRelyingPartyTrust -Identifier urn:federation:MicrosoftOnline).IssuanceTransformRules $updatedRules = $existingRules + $rule1 + $rule2 + $rule3 + $rule4 + $rule5 From 1b8cfc41b746c6b8265c2de17c76a7c330c20049 Mon Sep 17 00:00:00 2001 From: Jose Gabriel Ortega Castro Date: Thu, 30 May 2019 15:11:17 -0500 Subject: [PATCH 11/21] Update windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-cert-trust-devreg.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index 57f74f6c6e..46fda5bf95 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -473,7 +473,6 @@ The following script helps you with the creation of the issuance transform rules $updatedRules = $existingRules + $rule1 + $rule2 + $rule3 + $rule4 + $rule5 $crSet = New-ADFSClaimRuleSet -ClaimRule $updatedRules - Set-AdfsRelyingPartyTrust -TargetIdentifier urn:federation:MicrosoftOnline -IssuanceTransformRules $crSet.ClaimRulesString #### Remarks From 563eebd5ca181ee26bbc5cc0470c9c96932a74bc Mon Sep 17 00:00:00 2001 From: Jose Gabriel Ortega Castro Date: Thu, 30 May 2019 15:11:33 -0500 Subject: [PATCH 12/21] Update windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-cert-trust-devreg.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index 46fda5bf95..75c71ecd98 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -471,7 +471,6 @@ The following script helps you with the creation of the issuance transform rules $existingRules = (Get-ADFSRelyingPartyTrust -Identifier urn:federation:MicrosoftOnline).IssuanceTransformRules $updatedRules = $existingRules + $rule1 + $rule2 + $rule3 + $rule4 + $rule5 - $crSet = New-ADFSClaimRuleSet -ClaimRule $updatedRules Set-AdfsRelyingPartyTrust -TargetIdentifier urn:federation:MicrosoftOnline -IssuanceTransformRules $crSet.ClaimRulesString From 3be2c9c781ca24e6bf7ebd051fc0308d82eefbac Mon Sep 17 00:00:00 2001 From: Jose Gabriel Ortega Castro Date: Thu, 30 May 2019 15:11:45 -0500 Subject: [PATCH 13/21] Update windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-cert-trust-devreg.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index 75c71ecd98..8e5c529493 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -469,7 +469,6 @@ The following script helps you with the creation of the issuance transform rules );' } $existingRules = (Get-ADFSRelyingPartyTrust -Identifier urn:federation:MicrosoftOnline).IssuanceTransformRules - $updatedRules = $existingRules + $rule1 + $rule2 + $rule3 + $rule4 + $rule5 $crSet = New-ADFSClaimRuleSet -ClaimRule $updatedRules Set-AdfsRelyingPartyTrust -TargetIdentifier urn:federation:MicrosoftOnline -IssuanceTransformRules $crSet.ClaimRulesString From 054556c963a909abff3a90ad263f929399331e0e Mon Sep 17 00:00:00 2001 From: Jose Gabriel Ortega Castro Date: Thu, 30 May 2019 15:11:55 -0500 Subject: [PATCH 14/21] Update windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-cert-trust-devreg.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index 8e5c529493..56ca6ad60c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -447,7 +447,6 @@ The following script helps you with the creation of the issuance transform rules Value = "http://' + $oneOfVerifiedDomainNames + '/adfs/services/trust/" );' } - $rule5 = '' if ($immutableIDAlreadyIssuedforUsers -eq $true) { $rule5 = '@RuleName = "Issue ImmutableID for computers" From e93fda0490108bebe92ddd983b3ea59598ba03cd Mon Sep 17 00:00:00 2001 From: Jose Gabriel Ortega Castro Date: Thu, 30 May 2019 15:12:02 -0500 Subject: [PATCH 15/21] Update windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-cert-trust-devreg.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index 56ca6ad60c..e330eab070 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -403,7 +403,6 @@ The following script helps you with the creation of the issuance transform rules Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" ] => issue(claim = c2);' - $rule4 = '' if ($multipleVerifiedDomainNames -eq $true) { $rule4 = '@RuleName = "Issue account type with the value User when it is not a computer" From 76d42f904fe8988cb89031a4628eb74db3fee9af Mon Sep 17 00:00:00 2001 From: Jose Ortega Date: Thu, 30 May 2019 15:31:45 -0500 Subject: [PATCH 16/21] Remove extra line --- .../hello-for-business/hello-hybrid-cert-trust-devreg.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index 67f71d8749..a448fbf4d2 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -44,7 +44,6 @@ Use this three-phased approach for configuring device registration. > > You can learn about this and more by reading [Introduction to Device Management in Azure Active Directory.](https://docs.microsoft.com/azure/active-directory/device-management-introduction) - >[!IMPORTANT] > To use hybrid identity with Azure Active Directory and device WriteBack features, you must use the built-in GUI with the [latest updates for ADConnect](https://www.microsoft.com/download/details.aspx?id=47594). From 77580bbfd4372c5bae0ce24615f53b4c63ad61f5 Mon Sep 17 00:00:00 2001 From: Jose Gabriel Ortega Castro Date: Thu, 30 May 2019 16:23:10 -0500 Subject: [PATCH 17/21] Update windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-cert-trust-devreg.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index 4cabdb55e8..214c890f1d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -499,7 +499,7 @@ For your reference, below is a comprehensive list of the AD DS devices, containe ![Device Registration](images/hybridct/device8.png) - object of type serviceConnectionpoint at CN=<guid>, CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=<domain> -- read/write access to the specified AD connector account name on the new object + - read/write access to the specified AD connector account name on the new object - object of type msDS-DeviceRegistrationServiceContainer at CN=Device Registration Services,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=<domain> - object of type msDS-DeviceRegistrationService in the above container From 984750afe46f57cf1b670d3c3c4d57100e827218 Mon Sep 17 00:00:00 2001 From: Jose Gabriel Ortega Castro Date: Thu, 30 May 2019 21:38:30 -0500 Subject: [PATCH 18/21] Update windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-cert-trust-devreg.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index 214c890f1d..31ae2dca74 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -29,7 +29,7 @@ Your environment is federated and you are ready to configure device registration > If your environment is not federated, review the [New Installation baseline](hello-hybrid-cert-new-install.md) section of this deployment document to learn how to federate your environment for your Windows Hello for Business deployment. >[!IMPORTANT] -> The identity team has simpolified the join flow for Azure AD device registration, the tutorial can be found [here](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-federated-domains). +>Refer to the [Tutorial: Configure hybrid Azure Active Directory join for federated domains](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-federated-domains) to learn more about setting up Azure Active Directory Connect for a simplified join flow for Azure AD device registration. Use this three-phased approach for configuring device registration. 1. [Configure devices to register in Azure](#configure-azure-for-device-registration) From df0023007154a5b96c271d997247df3e33dca377 Mon Sep 17 00:00:00 2001 From: Jose Gabriel Ortega Castro Date: Thu, 30 May 2019 21:38:39 -0500 Subject: [PATCH 19/21] Update windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-cert-trust-devreg.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index 31ae2dca74..79d8a36e3d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -28,7 +28,7 @@ Your environment is federated and you are ready to configure device registration > [!IMPORTANT] > If your environment is not federated, review the [New Installation baseline](hello-hybrid-cert-new-install.md) section of this deployment document to learn how to federate your environment for your Windows Hello for Business deployment. ->[!IMPORTANT] +>[!TIP] >Refer to the [Tutorial: Configure hybrid Azure Active Directory join for federated domains](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-federated-domains) to learn more about setting up Azure Active Directory Connect for a simplified join flow for Azure AD device registration. Use this three-phased approach for configuring device registration. From 4732c0d2206f51c9ae1f091e135f195cef806dc4 Mon Sep 17 00:00:00 2001 From: Jose Gabriel Ortega Castro Date: Mon, 17 Jun 2019 10:09:28 -0500 Subject: [PATCH 20/21] Update windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-cert-trust-devreg.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index de59d7c3e5..2f9a34b9d6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -129,7 +129,6 @@ If your AD FS farm is not already configured for Device Authentication (you can `PS C:\> Initialize-ADDeviceRegistration -ServiceAccountName "" ` 3. On the pop-up window click **Yes**. - > [!NOTE] > If your AD FS service is configured to use a GMSA account, enter the account name in the format "domain\accountname$" From 8eb6cb9a7a4aba12310006ec9f0585e2a6b2df77 Mon Sep 17 00:00:00 2001 From: Jose Gabriel Ortega Castro Date: Mon, 17 Jun 2019 23:33:14 -0500 Subject: [PATCH 21/21] Update windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-cert-trust-devreg.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index 2f9a34b9d6..8a74c77ed5 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -283,7 +283,7 @@ The definition helps you to verify whether the values are present or if you need **`http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid`** - This claim must contain the Uniform Resource Identifier (URI) of any of the verified domain names that connect with the on-premises federation service (AD FS or 3rd party) issuing the token. In AD FS, you can add issuance transform rules that look like the ones below in that specific order after the ones above. Please note that one rule to explicitly issue the rule for users is necessary. In the rules below, a first rule identifying user vs. computer authentication is added. - @RuleName = "Issue account type with the value User when its not a computer" + @RuleName = "Issue account type with the value User when it is not a computer" NOT EXISTS( [