deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Added identity matching section

Browse Source
This commit is contained in:
Paolo Matarazzo 2023-02-24 09:29:35 -05:00
parent 09abf9fbf9
commit c670a88212
1 changed files with 42 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
education/windows/federated-sign-in.md
View File

@ -1,7 +1,7 @@
---
title: Configure federated sign-in for Windows devices
description: Description of federated sign-in feature for the Education SKUs of Windows 11 and how to configure it via Intune or provisioning packages.
ms.date: 02/10/2023
ms.date: 02/24/2023
ms.topic: how-to
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
@ -38,18 +38,25 @@ To implement federated sign-in, the following prerequisites must be met:
- [Azure AD Connect sync][AZ-3] for environment with on-premises AD DS
- PowerShell scripts that call the [Microsoft Graph API][GRAPH-1]
- provisioning tools offered by the IdP
For more information about identity matching, see [Identity matching in Azure AD](#identity-matching-in-azure-ad).
1. Licenses assigned to the Azure AD user accounts. It's recommended to assign licenses to a dynamic group: when new users are provisioned in Azure AD, the licenses are automatically assigned. For more information, see [Assign licenses to users by group membership in Azure Active Directory][AZ-2]
1. Enable federated sign-in on the Windows devices that the users will be using
> [!IMPORTANT]
> This feature is exclusively available for Windows Education SKUs, including Windows 11 SE, Windows 11 Pro Education and Windows Education.
1. Enable federated sign-in on the Windows devices
To use federated sign-in, the devices must have Internet access. This feature won't work without it, as the authentication is done over the Internet.
> [!IMPORTANT]
> WS-Fed is the only supported federated protocol to join a device to Azure AD. If you have a SAMl 2.0 IdP, it's recommended to complete the Azure AD join process using one of the following methods:
> WS-Fed is the only supported federated protocol to join a device to Azure AD. If you have a SAML 2.0 IdP, it's recommended to complete the Azure AD join process using one of the following methods:
> - provisioning packages (PPKG)
> - Windows Autopilot self-deploying mode
### System requirements
Federated sign-in is supported on the following Windows SKUs:
- Windows 11 SE, version 22H2 and later
- Windows 11 Pro Edu/Education, version 22H2 with [KB5022913][KB-1]
## Configure federated sign-in
To use web sign-in with a federated identity provider, your devices must be configured with different policies. Follow the instructions below to configure your devices using either Microsoft Intune or a provisioning package (PPKG).
@ -81,7 +88,7 @@ To configure federated sign-in using a provisioning package, use the following s
| <li> Path: **`FederatedAuthentication/EnableWebSignInForPrimaryUser`** </li><li>Value: **Enabled**</li>|
| <li> Path: **`Policies/Authentication/ConfigureWebSignInAllowedUrls`** </li><li>Value: Semicolon separated list of domains, for example: **`samlidp.clever.com;clever.com;mobile-redirector.clever.com`**</li>|
| <li> Path: **`Policies/Education/IsEducationEnvironment`** </li><li>Value: **Enabled**</li>|
| <li> Path: **`Policies/Authentication/ConfigureWebCamAccessDomainNames`** </li><li>Value: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during he sign-in process, separated by a semicolon. For example: **`clever.com`**</li>|
| <li> Path: **`Policies/Authentication/ConfigureWebCamAccessDomainNames`** </li><li>Value: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: **`clever.com`**</li>|
:::image type="content" source="images/federated-sign-in-settings-ppkg.png" alt-text="Custom policy showing the settings to be configured to enable federated sign-in" lightbox="images/federated-sign-in-settings-ppkg.png" border="true":::
@ -109,7 +116,35 @@ Federated sign-in doesn't work on devices that have the following settings enabl
- **EnableSharedPCMode**, which is part of the [SharedPC CSP][WIN-1]
- **Interactive logon: do not display last signed in**, which is a security policy part of the [Policy CSP][WIN-2]
- **Take a Test**, since it leverages the security policy above
- **Take a Test**, since it uses the security policy above
### Identity matching in Azure AD
When federated sign-in is enabled, the user's identity from the IdP must match an existing user object in Azure AD.
After the token sent by the IdP is validated, Azure AD searches for a matching user object in the tenant by using an attribute called *ImmutableId*.
If the matching object is found, the user is signed-in. If not, the user is presented with the following error message, showing that a user with an ImmutableId matching *260051* can't be found:
:::image type="content" source="images/federation/user-match-lookup-failure.png" alt-text="Azure AD sign-in error: a user with a matching ImmutableId can't be found in the tenant." lightbox="images/federation/user-match-lookup-failure.png":::
> [!IMPORTANT]
> The ImmutableId matching is case-sensitive.
The ImmutableId is a string value that should be unique for each user in the tenant, and it shouldn't change over time. For example, the ImmutableId could be the student ID or SIS ID. The ImmutableId is typically configured when the user is created in Azure AD, but it can also be updated later.\
In a scenario where a user is federated and you want to change the ImmutableId, you must:
1. Convert the user to a cloud-only user
1. Update the ImmutableId
1. Convert the user back to a federated user
Here's a PowerShell script example to update the ImmutableId for a federated user:
```powershell
#1. switch the user from federated to managed
Get-AzureADUser -SearchString alton@example.com | Set-AzureADUser -UserPrincipalName alexander@example.onmicrosoft.com
#2. swtich the user from managed to federated while setting the immutableId
Get-AzureADUser -SearchString alexander@example.onmicrosoft.com | Set-AzureADUser -UserPrincipalName alexander@example.com -ImmutableId '260051'
```
## Troubleshooting