Automatic hybrid Azure AD join for Windows 10 devices

0 Likes
over 2 years ago

 

Introduction

 



Azure Active Directory (Azure AD) provides device management when Windows devices are registered with Azure AD. Azure AD can make sure devices meet organizations standards for security and compliance. Devices joined to a local on-premise Active Directory domain can join to Azure AD by configuring hybrid Azure AD joined devices. In this cool solution, you will learn how to configure hybrid Azure AD join for Windows devices to automatically register to Azure AD.

 

Why is this useful?

 



This solution will help to get on-premise devices to automatically register with Azure Active Directory. This will provide conditional access by checking the eligibility of the devices to access enterprise resources.

 

Solution

 



Prepare Azure AD for Automatic device Registration.




    1. Follow the Microsoft documentation below to create a service connection point.
      -Tutorial: Configure hybrid Azure Active Directory joined devices manually
      -Custom installation of Azure AD Connect ( at User Sign-in screen, select checkbox “Enable single sign-on”)

 

    1. DNS configuration (finish for Enterpriseregistration CNAME) Create DNS records for Office 365 using Windows-based DNS

 

  1. To manage devices using the Azure portal and enable the option “Users may register their devices with Azure AD” to “All” follow the Microsoft documentation.
    How to manage devices using the Azure portal



NAM Configuration steps:


    1. Follow Kerberos contract creation NetIQ Access Manager document.
      Sample configuration for Kerberos class:

      Kerberos class

 

    1. Create additional SPN as shown below.

      SPN AD

 

    1. Create a Kerberos contract and make sure Kerberos working fine.

 

    1. Extract engineering patch zip file(Solution.zip), contents are: nidp-wstrust-iwa.jar, mex2.jsp

 

    1. Copy nidp-wstrust-iwa.jar to /opt/novell/nam/idp/webapps/nidp/WEB-INF/lib.

 

    1. Edit mex2.jsp find host/secure.cloudtest6.info to your domain like host/secure.coles.com.

 

    1. Copy mex2.jsp to /opt/novell/nam/idp/webapps/nidp/jsp.

 

    1. Modify web.xml at location /opt/novell/nam/idp/webapps/nidp/WEB-INF/web.xml.

        1. Add mex2.jsp to allowd list of jsp:

          <filter>
          <filter-name>nidpJspFilter</filter-name>
          <display-name>NIDP Jsp Filter</display-name>
          <description>The NIDP server JSP filter. Enforces authentication and
          handles clustering.</description>
          <filter-class>com.novell.nidp.servlets.filters.jsp.NIDPJspFilter</filter-class>
          <init-param>
          <param-name>publicAccess</param-name>
          <param-value>main.jsp;err.jsp;err2.jsp;login.jsp;nmaslogin.jsp;logoutSuccess.jsp;banner.jsp;nav.jsp;menus.jsp;footer.jsp;content.jsp;cards.jsp;title.jsp;error.jsp;curcard.jsp;createacct.jsp;x509err.jsp;clearCookieAuth.jsp;totpregistration.jsp;socialauth.jsp;socialauth_provision.jsp;socialauth_return.jsp;mex.jsp;errorPage.jsp;DeviceRegistrationConsent.jsp;login_snippet.jsp;mex2.jsp</param-value>
          </init-param>
          </filter>

        1. 7.2 Add servlet mapping to mex2.jsp as mex endpoint
          <servlet>
          <servlet-name>NetIQSTS12MEX</servlet-name>
          <jsp-file>/jsp/mex2.jsp</jsp-file>
          <load-on-startup>1</load-on-startup>
          </servlet>
          <servlet-mapping>
          <servlet-name>NetIQSTS12MEX</servlet-name>
          <url-pattern>/wstrust/sts/mex</url-pattern>
          </servlet-mapping>


      1. Comment out existing mapping for mex
        <!--<servlet-mapping>
        <servlet-name>NetIQSTS</servlet-name>
        <url-pattern>/wstrust/sts/mex</url-pattern>
        </servlet-mapping>
        -->


    2. Restart IDP

 

    1. Test new mex endpoint as https://<<IDP>>/wstrust/sts/mex mex output should be an output of url.

 

    1. Login to NAM admin console and add these global parameters.


      DEVICE_DOMAIN_JOIN_CONTRACT_ID = Kerberos contract ID


      Kerberos Contract

      DEVICE_DOMAIN_JOIN_SEARCH_USER_STORE = AD where devices register and CN=computers,DC=<<domain>>,DC=<<domain>>

      example cn=computers,DC=cloudtest,DC=info for cloudtest.info domain.

      Userstore

      Screenshot of parameters configured:

      Config Params

 

  1. Update configuration

    Note: if there are multiple IDP in a cluster do repeat above steps 4-9.

 

 

Control the hybrid Azure AD join of your devices.

 



Create group policy what device can join to Azure AD automatically. Follow the Microsoft documentation https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-control.

When all above steps are completed, domain-joined devices will automatically register with Azure Active Directory (AD). When the device restarts this automatic registration to Azure AD will be completed.

Screenshot of device registration command output: “dsregcmd /debug”.

dsregcmd debug

dsregcmd debug output

Screenshot of the Azure console for registered devices:

Azure portal

Login to Microsoft Azure Portal and Navigate to Azure Active Directory and Devices.

Using PowerShell commands to query devices

    1. Open Microsoft Azure Active Directory Module for Windows PowerShell

 

    1. Connect to your Azure Active Directory tenant using command “Connect-MsolService”

 

    1. Enter Azure AD administrator credentials

 

    1. Execute the following command




“Get-MsolDevice -All”

Powershell devices list

 

Additional Information

 



The following additional options are available with dsregcmd command:
“dsregcmd /status” -> Shows device registration status
“dsregcmd / leave” -> deregisters device
https://docs.microsoft.com/en-us/azure/active-directory/devices/faq

https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current


 

SSO to Microsoft Azure Applications

 




  1. When device automatically registered to Azure AD, the following things happen.


      1. The device sends Kerberos token to NAM via WS-Trust protocol

      1. The device generates a certificate signing certificate (CSR) to Azure DRS and gets signed a certificate for that device

      1. The device generates the second certificate to use with the Primary Refresh Token (PRT) using user credentials

    1. The PRT is used for SSO for users when they access Azure AD applications.




 

References:

 





















Please share your comments!!




Download the document file here.









Labels:

How To-Best Practice
Collateral
Support Tip
Comment List
Anonymous
Related Discussions
Recommended