|
|
|
@ -24,7 +24,6 @@ ms.reviewer:
|
|
|
|
- Hybrid deployment
|
|
|
|
- Hybrid deployment
|
|
|
|
- Certificate trust
|
|
|
|
- Certificate trust
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Your environment is federated and you are ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration and device write-back to enable proper device authentication.
|
|
|
|
Your environment is federated and you are ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration and device write-back to enable proper device authentication.
|
|
|
|
|
|
|
|
|
|
|
|
> [!IMPORTANT]
|
|
|
|
> [!IMPORTANT]
|
|
|
|
@ -34,15 +33,17 @@ Your environment is federated and you are ready to configure device registration
|
|
|
|
>Refer to the [Tutorial: Configure hybrid Azure Active Directory join for federated domains](/azure/active-directory/devices/hybrid-azuread-join-federated-domains) to learn more about setting up Azure Active Directory Connect for a simplified join flow for Azure AD device registration.
|
|
|
|
>Refer to the [Tutorial: Configure hybrid Azure Active Directory join for federated domains](/azure/active-directory/devices/hybrid-azuread-join-federated-domains) to learn more about setting up Azure Active Directory Connect for a simplified join flow for Azure AD device registration.
|
|
|
|
|
|
|
|
|
|
|
|
Use this three-phased approach for configuring device registration.
|
|
|
|
Use this three-phased approach for configuring device registration.
|
|
|
|
|
|
|
|
|
|
|
|
1. [Configure devices to register in Azure](#configure-azure-for-device-registration)
|
|
|
|
1. [Configure devices to register in Azure](#configure-azure-for-device-registration)
|
|
|
|
2. [Synchronize devices to on-premises Active Directory](#configure-active-directory-to-support-azure-device-synchronization)
|
|
|
|
2. [Synchronize devices to on-premises Active Directory](#configure-active-directory-to-support-azure-device-synchronization)
|
|
|
|
3. [Configure AD FS to use cloud devices](#configure-ad-fs-to-use-azure-registered-devices)
|
|
|
|
3. [Configure AD FS to use cloud devices](#configure-ad-fs-to-use-azure-registered-devices)
|
|
|
|
|
|
|
|
|
|
|
|
> [!NOTE]
|
|
|
|
> [!NOTE]
|
|
|
|
> Before proceeding, you should familiarize yourself with device registration concepts such as:
|
|
|
|
> Before proceeding, you should familiarize yourself with device registration concepts such as:
|
|
|
|
> * Azure AD registered devices
|
|
|
|
>
|
|
|
|
> * Azure AD joined devices
|
|
|
|
> - Azure AD registered devices
|
|
|
|
> * Hybrid Azure AD joined devices
|
|
|
|
> - Azure AD joined devices
|
|
|
|
|
|
|
|
> - Hybrid Azure AD joined devices
|
|
|
|
>
|
|
|
|
>
|
|
|
|
> You can learn about this and more by reading [Introduction to Device Management in Azure Active Directory.](/azure/active-directory/device-management-introduction)
|
|
|
|
> You can learn about this and more by reading [Introduction to Device Management in Azure Active Directory.](/azure/active-directory/device-management-introduction)
|
|
|
|
|
|
|
|
|
|
|
|
@ -50,6 +51,7 @@ Use this three-phased approach for configuring device registration.
|
|
|
|
> To use hybrid identity with Azure Active Directory and device WriteBack features, you must use the built-in GUI with the [latest updates for ADConnect](https://www.microsoft.com/download/details.aspx?id=47594).
|
|
|
|
> To use hybrid identity with Azure Active Directory and device WriteBack features, you must use the built-in GUI with the [latest updates for ADConnect](https://www.microsoft.com/download/details.aspx?id=47594).
|
|
|
|
|
|
|
|
|
|
|
|
## Configure Azure for Device Registration
|
|
|
|
## Configure Azure for Device Registration
|
|
|
|
|
|
|
|
|
|
|
|
Begin configuring device registration to support Hybrid Windows Hello for Business by configuring device registration capabilities in Azure AD.
|
|
|
|
Begin configuring device registration to support Hybrid Windows Hello for Business by configuring device registration capabilities in Azure AD.
|
|
|
|
|
|
|
|
|
|
|
|
To do this, follow the **Configure device settings** steps under [Setting up Azure AD Join in your organization](/azure/active-directory/devices/device-management-azure-portal)
|
|
|
|
To do this, follow the **Configure device settings** steps under [Setting up Azure AD Join in your organization](/azure/active-directory/devices/device-management-azure-portal)
|
|
|
|
@ -92,8 +94,8 @@ Sign-in to the domain controller hosting the schema master operational role usin
|
|
|
|
> [!NOTE]
|
|
|
|
> [!NOTE]
|
|
|
|
> If you installed Azure AD Connect prior to upgrading the schema, you will need to re-run the Azure AD Connect installation and refresh the on-premises AD schema to ensure the synchronization rule for msDS-KeyCredentialLink is configured.
|
|
|
|
> If you installed Azure AD Connect prior to upgrading the schema, you will need to re-run the Azure AD Connect installation and refresh the on-premises AD schema to ensure the synchronization rule for msDS-KeyCredentialLink is configured.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
### Setup Active Directory Federation Services
|
|
|
|
### Setup Active Directory Federation Services
|
|
|
|
|
|
|
|
|
|
|
|
If you are new to AD FS and federation services, you should review [Understanding Key AD FS Concepts](/windows-server/identity/ad-fs/technical-reference/understanding-key-ad-fs-concepts) to prior to designing and deploying your federation service.
|
|
|
|
If you are new to AD FS and federation services, you should review [Understanding Key AD FS Concepts](/windows-server/identity/ad-fs/technical-reference/understanding-key-ad-fs-concepts) to prior to designing and deploying your federation service.
|
|
|
|
Review the [AD FS Design guide](/windows-server/identity/ad-fs/design/ad-fs-design-guide-in-windows-server-2012-r2) to plan your federation service.
|
|
|
|
Review the [AD FS Design guide](/windows-server/identity/ad-fs/design/ad-fs-design-guide-in-windows-server-2012-r2) to plan your federation service.
|
|
|
|
|
|
|
|
|
|
|
|
@ -104,28 +106,27 @@ Once you have your AD FS design ready, review [Deploying a Federation Server far
|
|
|
|
The AD FS farm used with Windows Hello for Business must be Windows Server 2016 with minimum update of [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889). If your AD FS farm is not running the AD FS role with updates from Windows Server 2016, then read [Upgrading to AD FS in Windows Server 2016](/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016)
|
|
|
|
The AD FS farm used with Windows Hello for Business must be Windows Server 2016 with minimum update of [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889). If your AD FS farm is not running the AD FS role with updates from Windows Server 2016, then read [Upgrading to AD FS in Windows Server 2016](/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016)
|
|
|
|
|
|
|
|
|
|
|
|
#### ADFS Web Proxy ###
|
|
|
|
#### ADFS Web Proxy ###
|
|
|
|
|
|
|
|
|
|
|
|
Federation server proxies are computers that run AD FS software that have been configured manually to act in the proxy role. You can use federation server proxies in your organization to provide intermediary services between an Internet client and a federation server that is behind a firewall on your corporate network.
|
|
|
|
Federation server proxies are computers that run AD FS software that have been configured manually to act in the proxy role. You can use federation server proxies in your organization to provide intermediary services between an Internet client and a federation server that is behind a firewall on your corporate network.
|
|
|
|
Use the [Setting of a Federation Proxy](/windows-server/identity/ad-fs/deployment/checklist--setting-up-a-federation-server-proxy) checklist to configure AD FS proxy servers in your environment.
|
|
|
|
Use the [Setting of a Federation Proxy](/windows-server/identity/ad-fs/deployment/checklist--setting-up-a-federation-server-proxy) checklist to configure AD FS proxy servers in your environment.
|
|
|
|
|
|
|
|
|
|
|
|
### Deploy Azure AD Connect
|
|
|
|
### Deploy Azure AD Connect
|
|
|
|
|
|
|
|
|
|
|
|
Next, you need to synchronize the on-premises Active Directory with Azure Active Directory. To do this, first review the [Integrating on-prem directories with Azure Active Directory](/azure/active-directory/connect/active-directory-aadconnect) and [hardware and prerequisites](/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](https://go.microsoft.com/fwlink/?LinkId=615771).
|
|
|
|
Next, you need to synchronize the on-premises Active Directory with Azure Active Directory. To do this, first review the [Integrating on-prem directories with Azure Active Directory](/azure/active-directory/connect/active-directory-aadconnect) and [hardware and prerequisites](/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](https://go.microsoft.com/fwlink/?LinkId=615771).
|
|
|
|
|
|
|
|
|
|
|
|
When you are ready to install, follow the **Configuring federation with AD FS** section of [Custom installation of Azure AD Connect](/azure/active-directory/connect/active-directory-aadconnect-get-started-custom). Select the **Federation with AD FS** option on the **User sign-in** page. At the **AD FS Farm** page, select the use an existing option and click **Next**.
|
|
|
|
When you are ready to install, follow the **Configuring federation with AD FS** section of [Custom installation of Azure AD Connect](/azure/active-directory/connect/active-directory-aadconnect-get-started-custom). Select the **Federation with AD FS** option on the **User sign-in** page. At the **AD FS Farm** page, select the use an existing option and click **Next**.
|
|
|
|
|
|
|
|
|
|
|
|
### Create AD objects for AD FS Device Authentication
|
|
|
|
### Create AD objects for AD FS Device Authentication
|
|
|
|
If your AD FS farm is not already configured for Device Authentication (you can see this in the AD FS Management console under Service -> Device Registration), use the following steps to create the correct AD DS objects and configuration.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
If your AD FS farm is not already configured for Device Authentication (you can see this in the AD FS Management console under Service -> Device Registration), use the following steps to create the correct AD DS objects and configuration.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
> [!NOTE]
|
|
|
|
> [!NOTE]
|
|
|
|
> The below commands require Active Directory administration tools, so if your federation server is not also a domain controller, first install the tools using step 1 below. Otherwise you can skip step 1.
|
|
|
|
> The below commands require Active Directory administration tools, so if your federation server is not also a domain controller, first install the tools using step 1 below. Otherwise you can skip step 1.
|
|
|
|
|
|
|
|
|
|
|
|
1. Run the **Add Roles & Features** wizard and select feature **Remote Server Administration Tools** -> **Role Administration Tools** -> **AD DS and AD LDS Tools** -> Choose both the **Active Directory module for Windows PowerShell** and the **AD DS Tools**.
|
|
|
|
1. Run the **Add Roles & Features** wizard and select feature **Remote Server Administration Tools** -> **Role Administration Tools** -> **AD DS and AD LDS Tools** -> Choose both the **Active Directory module for Windows PowerShell** and the **AD DS Tools**.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2. On your AD FS primary server, ensure you are logged in as AD DS user with enterprise administrator privileges and open an elevated Windows PowerShell prompt. Then, run the following commands:
|
|
|
|
2. On your AD FS primary server, ensure you are logged in as AD DS user with enterprise administrator privileges and open an elevated Windows PowerShell prompt. Then, run the following commands:
|
|
|
|
|
|
|
|
|
|
|
|
`Import-module activedirectory`
|
|
|
|
`Import-module activedirectory`
|
|
|
|
`PS C:\> Initialize-ADDeviceRegistration -ServiceAccountName "<your service account>"`
|
|
|
|
`PS C:\> Initialize-ADDeviceRegistration -ServiceAccountName "<your service account>"`
|
|
|
|
3. On the pop-up window click **Yes**.
|
|
|
|
3. On the pop-up window click **Yes**.
|
|
|
|
@ -134,21 +135,20 @@ If your AD FS farm is not already configured for Device Authentication (you can
|
|
|
|
> If your AD FS service is configured to use a GMSA account, enter the account name in the format "domain\accountname$"
|
|
|
|
> If your AD FS service is configured to use a GMSA account, enter the account name in the format "domain\accountname$"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The above PSH creates the following objects:
|
|
|
|
The above PSH creates the following objects:
|
|
|
|
|
|
|
|
|
|
|
|
- RegisteredDevices container under the AD domain partition
|
|
|
|
- RegisteredDevices container under the AD domain partition
|
|
|
|
- Device Registration Service container and object under Configuration --> Services --> Device Registration Configuration
|
|
|
|
- Device Registration Service container and object under Configuration --> Services --> Device Registration Configuration
|
|
|
|
- Device Registration Service DKM container and object under Configuration --> Services --> Device Registration Configuration
|
|
|
|
- Device Registration Service DKM container and object under Configuration --> Services --> Device Registration Configuration
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
 <br>
|
|
|
|
|
|
|
|
|
|
|
|
4. Once this is done, you will see a successful completion message.
|
|
|
|
4. Once this is done, you will see a successful completion message.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
### Create Service Connection Point (SCP) in Active Directory
|
|
|
|
### Create Service Connection Point (SCP) in Active Directory
|
|
|
|
If you plan to use Windows domain join (with automatic registration to Azure AD) as described here, execute the following commands to create a service connection point in AD DS
|
|
|
|
If you plan to use Windows domain join (with automatic registration to Azure AD) as described here, execute the following commands to create a service connection point in AD DS
|
|
|
|
|
|
|
|
|
|
|
|
1. Open Windows PowerShell and execute the following:
|
|
|
|
1. Open Windows PowerShell and execute the following:
|
|
|
|
|
|
|
|
|
|
|
|
`PS C:>Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1"`
|
|
|
|
`PS C:>Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1"`
|
|
|
|
@ -157,13 +157,11 @@ If you plan to use Windows domain join (with automatic registration to Azure AD)
|
|
|
|
> If necessary, copy the AdSyncPrep.psm1 file from your Azure AD Connect server. This file is located in Program Files\Microsoft Azure Active Directory Connect\AdPrep
|
|
|
|
> If necessary, copy the AdSyncPrep.psm1 file from your Azure AD Connect server. This file is located in Program Files\Microsoft Azure Active Directory Connect\AdPrep
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2. Provide your Azure AD global administrator credentials
|
|
|
|
2. Provide your Azure AD global administrator credentials
|
|
|
|
|
|
|
|
|
|
|
|
`PS C:>$aadAdminCred = Get-Credential`
|
|
|
|
`PS C:>$aadAdminCred = Get-Credential`
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3. Run the following PowerShell command
|
|
|
|
3. Run the following PowerShell command
|
|
|
|
|
|
|
|
|
|
|
|
`PS C:>Initialize-ADSyncDomainJoinedComputerSync -AdConnectorAccount [AD connector account name] -AzureADCredentials $aadAdminCred`
|
|
|
|
`PS C:>Initialize-ADSyncDomainJoinedComputerSync -AdConnectorAccount [AD connector account name] -AzureADCredentials $aadAdminCred`
|
|
|
|
@ -187,6 +185,7 @@ The above command creates the following objects for device write back to AD DS,
|
|
|
|
- Device Registration Service container and object under Configuration --> Services --> Device Registration Configuration
|
|
|
|
- Device Registration Service container and object under Configuration --> Services --> Device Registration Configuration
|
|
|
|
|
|
|
|
|
|
|
|
### Enable Device Write Back in Azure AD Connect
|
|
|
|
### Enable Device Write Back in Azure AD Connect
|
|
|
|
|
|
|
|
|
|
|
|
If you have not done so before, enable device write back in Azure AD Connect by running the wizard a second time and selecting **"Customize Synchronization Options"**, then checking the box for device write back and selecting the forest in which you have run the above cmdlets
|
|
|
|
If you have not done so before, enable device write back in Azure AD Connect by running the wizard a second time and selecting **"Customize Synchronization Options"**, then checking the box for device write back and selecting the forest in which you have run the above cmdlets
|
|
|
|
|
|
|
|
|
|
|
|
## Configure AD FS to use Azure registered devices
|
|
|
|
## Configure AD FS to use Azure registered devices
|
|
|
|
@ -213,17 +212,17 @@ When you're using AD FS, you need to enable the following WS-Trust endpoints:
|
|
|
|
|
|
|
|
|
|
|
|
The following claims must exist in the token received by Azure DRS for device registration to complete. Azure DRS will create a device object in Azure AD with some of this information which is then used by Azure AD Connect to associate the newly created device object with the computer account on-premises.
|
|
|
|
The following claims must exist in the token received by Azure DRS for device registration to complete. Azure DRS will create a device object in Azure AD with some of this information which is then used by Azure AD Connect to associate the newly created device object with the computer account on-premises.
|
|
|
|
|
|
|
|
|
|
|
|
* `http://schemas.microsoft.com/ws/2012/01/accounttype`
|
|
|
|
- `http://schemas.microsoft.com/ws/2012/01/accounttype`
|
|
|
|
* `http://schemas.microsoft.com/identity/claims/onpremobjectguid`
|
|
|
|
- `http://schemas.microsoft.com/identity/claims/onpremobjectguid`
|
|
|
|
* `http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid`
|
|
|
|
- `http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid`
|
|
|
|
|
|
|
|
|
|
|
|
If you have more than one verified domain name, you need to provide the following claim for computers:
|
|
|
|
If you have more than one verified domain name, you need to provide the following claim for computers:
|
|
|
|
|
|
|
|
|
|
|
|
* `http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid`
|
|
|
|
- `http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid`
|
|
|
|
|
|
|
|
|
|
|
|
If you are already issuing an ImmutableID claim (e.g., alternate login ID) you need to provide one corresponding claim for computers:
|
|
|
|
If you are already issuing an ImmutableID claim (e.g., alternate login ID) you need to provide one corresponding claim for computers:
|
|
|
|
|
|
|
|
|
|
|
|
* `http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID`
|
|
|
|
- `http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID`
|
|
|
|
|
|
|
|
|
|
|
|
In the following sections, you find information about:
|
|
|
|
In the following sections, you find information about:
|
|
|
|
|
|
|
|
|
|
|
|
@ -239,7 +238,8 @@ The definition helps you to verify whether the values are present or if you need
|
|
|
|
|
|
|
|
|
|
|
|
**`http://schemas.microsoft.com/ws/2012/01/accounttype`** - This claim must contain a value of **DJ**, which identifies the device as a domain-joined computer. In AD FS, you can add an issuance transform rule that looks like this:
|
|
|
|
**`http://schemas.microsoft.com/ws/2012/01/accounttype`** - This claim must contain a value of **DJ**, which identifies the device as a domain-joined computer. In AD FS, you can add an issuance transform rule that looks like this:
|
|
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
```powershell
|
|
|
|
|
|
|
|
|
|
|
|
@RuleName = "Issue account type for domain-joined computers"
|
|
|
|
@RuleName = "Issue account type for domain-joined computers"
|
|
|
|
c:[
|
|
|
|
c:[
|
|
|
|
Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
|
|
|
|
Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
|
|
|
|
@ -256,7 +256,8 @@ The definition helps you to verify whether the values are present or if you need
|
|
|
|
|
|
|
|
|
|
|
|
**`http://schemas.microsoft.com/identity/claims/onpremobjectguid`** - This claim must contain the **objectGUID** value of the on-premises computer account. In AD FS, you can add an issuance transform rule that looks like this:
|
|
|
|
**`http://schemas.microsoft.com/identity/claims/onpremobjectguid`** - This claim must contain the **objectGUID** value of the on-premises computer account. In AD FS, you can add an issuance transform rule that looks like this:
|
|
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
```powershell
|
|
|
|
|
|
|
|
|
|
|
|
@RuleName = "Issue object GUID for domain-joined computers"
|
|
|
|
@RuleName = "Issue object GUID for domain-joined computers"
|
|
|
|
c1:[
|
|
|
|
c1:[
|
|
|
|
Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
|
|
|
|
Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
|
|
|
|
@ -280,7 +281,8 @@ The definition helps you to verify whether the values are present or if you need
|
|
|
|
|
|
|
|
|
|
|
|
**`http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid`** - This claim must contain the **objectSid** value of the on-premises computer account. In AD FS, you can add an issuance transform rule that looks like this:
|
|
|
|
**`http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid`** - This claim must contain the **objectSid** value of the on-premises computer account. In AD FS, you can add an issuance transform rule that looks like this:
|
|
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
```powershell
|
|
|
|
|
|
|
|
|
|
|
|
@RuleName = "Issue objectSID for domain-joined computers"
|
|
|
|
@RuleName = "Issue objectSID for domain-joined computers"
|
|
|
|
c1:[
|
|
|
|
c1:[
|
|
|
|
Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
|
|
|
|
Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
|
|
|
|
@ -299,7 +301,8 @@ The definition helps you to verify whether the values are present or if you need
|
|
|
|
|
|
|
|
|
|
|
|
**`http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid`** - This claim must contain the Uniform Resource Identifier (URI) of any of the verified domain names that connect with the on-premises federation service (AD FS or 3rd party) issuing the token. In AD FS, you can add issuance transform rules that look like the ones below in that specific order after the ones above. Please note that one rule to explicitly issue the rule for users is necessary. In the rules below, a first rule identifying user vs. computer authentication is added.
|
|
|
|
**`http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid`** - This claim must contain the Uniform Resource Identifier (URI) of any of the verified domain names that connect with the on-premises federation service (AD FS or 3rd party) issuing the token. In AD FS, you can add issuance transform rules that look like the ones below in that specific order after the ones above. Please note that one rule to explicitly issue the rule for users is necessary. In the rules below, a first rule identifying user vs. computer authentication is added.
|
|
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
```powershell
|
|
|
|
|
|
|
|
|
|
|
|
@RuleName = "Issue account type with the value User when it is not a computer"
|
|
|
|
@RuleName = "Issue account type with the value User when it is not a computer"
|
|
|
|
|
|
|
|
|
|
|
|
NOT EXISTS(
|
|
|
|
NOT EXISTS(
|
|
|
|
@ -355,7 +358,8 @@ To get a list of your verified company domains, you can use the [Get-MsolDomain]
|
|
|
|
|
|
|
|
|
|
|
|
**`http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID`** - This claim must contain a valid value for computers. In AD FS, you can create an issuance transform rule as follows:
|
|
|
|
**`http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID`** - This claim must contain a valid value for computers. In AD FS, you can create an issuance transform rule as follows:
|
|
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
```powershell
|
|
|
|
|
|
|
|
|
|
|
|
@RuleName = "Issue ImmutableID for computers"
|
|
|
|
@RuleName = "Issue ImmutableID for computers"
|
|
|
|
c1:[
|
|
|
|
c1:[
|
|
|
|
Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
|
|
|
|
Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
|
|
|
|
@ -379,7 +383,8 @@ To get a list of your verified company domains, you can use the [Get-MsolDomain]
|
|
|
|
|
|
|
|
|
|
|
|
The following script helps you with the creation of the issuance transform rules described above.
|
|
|
|
The following script helps you with the creation of the issuance transform rules described above.
|
|
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
```powershell
|
|
|
|
|
|
|
|
|
|
|
|
$multipleVerifiedDomainNames = $false
|
|
|
|
$multipleVerifiedDomainNames = $false
|
|
|
|
$immutableIDAlreadyIssuedforUsers = $false
|
|
|
|
$immutableIDAlreadyIssuedforUsers = $false
|
|
|
|
$oneOfVerifiedDomainNames = 'example.com' # Replace example.com with one of your verified domains
|
|
|
|
$oneOfVerifiedDomainNames = 'example.com' # Replace example.com with one of your verified domains
|
|
|
|
@ -506,7 +511,6 @@ The following script helps you with the creation of the issuance transform rules
|
|
|
|
|
|
|
|
|
|
|
|
- If you have multiple verified domain names (as shown in the Azure AD portal or via the Get-MsolDomains cmdlet), set the value of **$multipleVerifiedDomainNames** in the script to **$true**. Also make sure that you remove any existing issuerid claim that might have been created by Azure AD Connect or via other means. Here is an example for this rule:
|
|
|
|
- If you have multiple verified domain names (as shown in the Azure AD portal or via the Get-MsolDomains cmdlet), set the value of **$multipleVerifiedDomainNames** in the script to **$true**. Also make sure that you remove any existing issuerid claim that might have been created by Azure AD Connect or via other means. Here is an example for this rule:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
~~~
|
|
|
|
~~~
|
|
|
|
c:[Type == "http://schemas.xmlsoap.org/claims/UPN"]
|
|
|
|
c:[Type == "http://schemas.xmlsoap.org/claims/UPN"]
|
|
|
|
=> issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value = regexreplace(c.Value, ".+@(?<domain>.+)", "http://${domain}/adfs/services/trust/"));
|
|
|
|
=> issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value = regexreplace(c.Value, ".+@(?<domain>.+)", "http://${domain}/adfs/services/trust/"));
|
|
|
|
@ -515,11 +519,13 @@ The following script helps you with the creation of the issuance transform rules
|
|
|
|
- If you have already issued an **ImmutableID** claim for user accounts, set the value of **$immutableIDAlreadyIssuedforUsers** in the script to **$true**.
|
|
|
|
- If you have already issued an **ImmutableID** claim for user accounts, set the value of **$immutableIDAlreadyIssuedforUsers** in the script to **$true**.
|
|
|
|
|
|
|
|
|
|
|
|
#### Configure Device Authentication in AD FS
|
|
|
|
#### Configure Device Authentication in AD FS
|
|
|
|
|
|
|
|
|
|
|
|
Using an elevated PowerShell command window, configure AD FS policy by executing the following command
|
|
|
|
Using an elevated PowerShell command window, configure AD FS policy by executing the following command
|
|
|
|
|
|
|
|
|
|
|
|
`PS C:>Set-AdfsGlobalAuthenticationPolicy -DeviceAuthenticationEnabled $true -DeviceAuthenticationMethod SignedToken`
|
|
|
|
`PS C:>Set-AdfsGlobalAuthenticationPolicy -DeviceAuthenticationEnabled $true -DeviceAuthenticationMethod SignedToken`
|
|
|
|
|
|
|
|
|
|
|
|
#### Check your configuration
|
|
|
|
#### Check your configuration
|
|
|
|
|
|
|
|
|
|
|
|
For your reference, below is a comprehensive list of the AD DS devices, containers and permissions required for device write-back and authentication to work
|
|
|
|
For your reference, below is a comprehensive list of the AD DS devices, containers and permissions required for device write-back and authentication to work
|
|
|
|
|
|
|
|
|
|
|
|
- object of type ms-DS-DeviceContainer at CN=RegisteredDevices,DC=<domain>
|
|
|
|
- object of type ms-DS-DeviceContainer at CN=RegisteredDevices,DC=<domain>
|
|
|
|
@ -542,6 +548,7 @@ For your reference, below is a comprehensive list of the AD DS devices, containe
|
|
|
|
<hr>
|
|
|
|
<hr>
|
|
|
|
|
|
|
|
|
|
|
|
## Follow the Windows Hello for Business hybrid certificate trust deployment guide
|
|
|
|
## Follow the Windows Hello for Business hybrid certificate trust deployment guide
|
|
|
|
|
|
|
|
|
|
|
|
1. [Overview](hello-hybrid-cert-trust.md)
|
|
|
|
1. [Overview](hello-hybrid-cert-trust.md)
|
|
|
|
2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md)
|
|
|
|
2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md)
|
|
|
|
3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
|
|
|
|
3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
|
|
|
|
|
Alekhya Jupudi