Remove From My Forums

ADFS 2016 no device contextual claims produced

Question
0

Sign in to vote

ADFS 2016 with web proxies. Federated domain with Office 365. We have Windows 10 automatic device registration with write-back that appears to be working well.

+----------------------------------------------------------------------+
| Device State |
+----------------------------------------------------------------------+
AzureAdJoined : YES
AzureAdDeviceId : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
AzureAdThumbprint : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
AzureAdIdp : login.windows.net
AzureAdTenantId : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
AzureAdTenantName : Foo
AzureAdMdmUrl : https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc
AzureAdSettingsUrl :
DomainJoined : YES
DomainName : XXXXX
+----------------------------------------------------------------------+
| User State |
+----------------------------------------------------------------------+
NgcSet : NO
WorkplaceJoined : NO
WamDefaultSet : YES
WamDefaultAuthority : organizations
WamDefaultId : https://login.microsoft.com
WamDefaultGUID : {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} (AzureAd)

When I look at the claims, no device contextual claims exist (see below). I must have missed something. Specifically I want to use isregistereduser in an Access Control Policy (Issuance Authorization Rule) on the Microsoft Office 365 Identity Platform Relying Party Trust so I can determine if the computer is domain-joined and allow/deny access to Office 365.

Issued identity:
http://schemas.xmlsoap.org/claims/UPN
xxxxxxx@foo.com
http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID
xxxxxxxxxx
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
xxxxxxxxxx
http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid
http://foo.com/adfs/services/trust/ http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path
/adfs/services/trust/13/usernamemixed
http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork
true
http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent
Windows-AzureAD-Authentication-Provider/1.0
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod
http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant
2017-02-23T00:37:38.475Z

Because the device is registered with the computer account there is no user associated with it so my expectation is to see a claim of http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser with a value of False.

TIA!

Thursday, February 23, 2017 4:00 AM

Answers

0

Sign in to vote
I checked the logs after a scheduled reboot and the desired claims are now being generated. I have a call in to support to find out where the miscommunication is/was regarding this functionality.

Issued identity:

http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser true http://schemas.microsoft.com/2014/03/psso true http://schemas.microsoft.com/2014/09/devicecontext/claims/trusttype Workplace http://schemas.microsoft.com/2014/02/devicecontext/claims/isknown true http://schemas.microsoft.com/2012/01/devicecontext/claims/ismanaged false http://schemas.microsoft.com/2012/01/devicecontext/claims/osversion 10.0 (10586) http://schemas.microsoft.com/2012/01/devicecontext/claims/ostype Windows 10 Enterprise
- Marked as answer by Pierre Audonnet [MSFT]Microsoft employee Monday, March 13, 2017 2:37 AM
Monday, February 27, 2017 11:25 PM

All replies

2

Sign in to vote

Well this took a left turn... I opened a Premier support case and this functionality isn't available to Windows 10 with automatic device registration (described here). Azure AD Conditional Access must be used instead of ADFS claim rules that allow/deny based on the device state. I'm going to miss the flexibility of claim rules.

Friday, February 24, 2017 2:38 AM
0

Sign in to vote
I checked the logs after a scheduled reboot and the desired claims are now being generated. I have a call in to support to find out where the miscommunication is/was regarding this functionality.

Issued identity:

http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser true http://schemas.microsoft.com/2014/03/psso true http://schemas.microsoft.com/2014/09/devicecontext/claims/trusttype Workplace http://schemas.microsoft.com/2014/02/devicecontext/claims/isknown true http://schemas.microsoft.com/2012/01/devicecontext/claims/ismanaged false http://schemas.microsoft.com/2012/01/devicecontext/claims/osversion 10.0 (10586) http://schemas.microsoft.com/2012/01/devicecontext/claims/ostype Windows 10 Enterprise
- Marked as answer by Pierre Audonnet [MSFT]Microsoft employee Monday, March 13, 2017 2:37 AM
Monday, February 27, 2017 11:25 PM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

ADFS 2016 no device contextual claims produced

Question

Answers

All replies