Automatic hybrid Azure AD join for Windows 10 devices

Automatic hybrid Azure AD join for Windows 10 devices

Introduction



Azure Active Directory (Azure AD) provides device management when Windows devices are registered with Azure AD. Azure AD can make sure devices meet organizations standards for security and compliance. Devices joined to a local on-premise Active Directory domain can join to Azure AD by configuring hybrid Azure AD joined devices. In this cool solution, you will learn how to configure hybrid Azure AD join for Windows devices to automatically register to Azure AD.

Why is this useful?



This solution will help to get on-premise devices to automatically register with Azure Active Directory. This will provide conditional access by checking the eligibility of the devices to access enterprise resources.

Solution



Prepare Azure AD for Automatic device Registration.




  1. Follow the Microsoft documentation below to create a service connection point.
    -Tutorial: Configure hybrid Azure Active Directory joined devices manually
    -Custom installation of Azure AD Connect ( at User Sign-in screen, select checkbox “Enable single sign-on”)

  2. DNS configuration (finish for Enterpriseregistration CNAME) Create DNS records for Office 365 using Windows-based DNS

  3. To manage devices using the Azure portal and enable the option “Users may register their devices with Azure AD” to “All” follow the Microsoft documentation.
    How to manage devices using the Azure portal


NAM Configuration steps:


  1. Follow Kerberos contract creation NetIQ Access Manager document.
    Sample configuration for Kerberos class:

    Kerberos class

  2. Create additional SPN as shown below.

    SPN AD

  3. Create a Kerberos contract and make sure Kerberos working fine.

  4. Extract engineering patch zip file(Solution.zip), contents are: nidp-wstrust-iwa.jar, mex2.jsp

  5. Copy nidp-wstrust-iwa.jar to /opt/novell/nam/idp/webapps/nidp/WEB-INF/lib.

  6. Edit mex2.jsp find host/secure.cloudtest6.info to your domain like host/secure.coles.com.

  7. Copy mex2.jsp to /opt/novell/nam/idp/webapps/nidp/jsp.

  8. Modify web.xml at location /opt/novell/nam/idp/webapps/nidp/WEB-INF/web.xml.

    1. Add mex2.jsp to allowd list of jsp:

      <filter>
      <filter-name>nidpJspFilter</filter-name>
      <display-name>NIDP Jsp Filter</display-name>
      <description>The NIDP server JSP filter. Enforces authentication and
      handles clustering.</description>
      <filter-class>com.novell.nidp.servlets.filters.jsp.NIDPJspFilter</filter-class>
      <init-param>
      <param-name>publicAccess</param-name>
      <param-value>main.jsp;err.jsp;err2.jsp;login.jsp;nmaslogin.jsp;logoutSuccess.jsp;banner.jsp;nav.jsp;menus.jsp;footer.jsp;content.jsp;cards.jsp;title.jsp;error.jsp;curcard.jsp;createacct.jsp;x509err.jsp;clearCookieAuth.jsp;totpregistration.jsp;socialauth.jsp;socialauth_provision.jsp;socialauth_return.jsp;mex.jsp;errorPage.jsp;DeviceRegistrationConsent.jsp;login_snippet.jsp;mex2.jsp</param-value>
      </init-param>
      </filter>

    2. 7.2 Add servlet mapping to mex2.jsp as mex endpoint
      <servlet>
      <servlet-name>NetIQSTS12MEX</servlet-name>
      <jsp-file>/jsp/mex2.jsp</jsp-file>
      <load-on-startup>1</load-on-startup>
      </servlet>
      <servlet-mapping>
      <servlet-name>NetIQSTS12MEX</servlet-name>
      <url-pattern>/wstrust/sts/mex</url-pattern>
      </servlet-mapping>


    3. Comment out existing mapping for mex
      <!--<servlet-mapping>
      <servlet-name>NetIQSTS</servlet-name>
      <url-pattern>/wstrust/sts/mex</url-pattern>
      </servlet-mapping>
      -->


  9. Restart IDP

  10. Test new mex endpoint as https://<<IDP>>/wstrust/sts/mex mex output should be an output of url.

  11. Login to NAM admin console and add these global parameters.


    DEVICE_DOMAIN_JOIN_CONTRACT_ID = Kerberos contract ID


    Kerberos Contract

    DEVICE_DOMAIN_JOIN_SEARCH_USER_STORE = AD where devices register and CN=computers,DC=<<domain>>,DC=<<domain>>

    example cn=computers,DC=cloudtest,DC=info for cloudtest.info domain.

    Userstore

    Screenshot of parameters configured:

    Config Params

  12. Update configuration

    Note: if there are multiple IDP in a cluster do repeat above steps 4-9.


Control the hybrid Azure AD join of your devices.



Create group policy what device can join to Azure AD automatically. Follow the Microsoft documentation https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-control.

When all above steps are completed, domain-joined devices will automatically register with Azure Active Directory (AD). When the device restarts this automatic registration to Azure AD will be completed.

Screenshot of device registration command output: “dsregcmd /debug”.

dsregcmd debug

dsregcmd debug output

Screenshot of the Azure console for registered devices:

Azure portal

Login to Microsoft Azure Portal and Navigate to Azure Active Directory and Devices.

Using PowerShell commands to query devices

  1. Open Microsoft Azure Active Directory Module for Windows PowerShell

  2. Connect to your Azure Active Directory tenant using command “Connect-MsolService”

  3. Enter Azure AD administrator credentials

  4. Execute the following command



“Get-MsolDevice -All”

Powershell devices list

Additional Information



The following additional options are available with dsregcmd command:
“dsregcmd /status” -> Shows device registration status
“dsregcmd / leave” -> deregisters device
https://docs.microsoft.com/en-us/azure/active-directory/devices/faq

https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current


SSO to Microsoft Azure Applications




  1. When device automatically registered to Azure AD, the following things happen.


    1. The device sends Kerberos token to NAM via WS-Trust protocol

    2. The device generates a certificate signing certificate (CSR) to Azure DRS and gets signed a certificate for that device

    3. The device generates the second certificate to use with the Primary Refresh Token (PRT) using user credentials

    4. The PRT is used for SSO for users when they access Azure AD applications.




References:



  • https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-control



  • https://docs.microsoft.com/en-us/office365/admin/dns/create-dns-records-using-windows-based-dns?redirectSourcePath=%252fen-us%252farticle%252fCreate-DNS-records-for-Office-365-using-Windows-based-DNS-9eec911d-5773-422c-9593-40e1147ffbde&view=o365-worldwide#bkmk_add_cname



  • https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-manual-steps



  • https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-federated-domains


  • https://jairocadena.com/2016/02/01/azure-ad-join-what-happens-behind-the-scenes/



  • https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration




  • Please share your comments!!




    Download the document file here.









    Attachments

    DISCLAIMER:

    Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
    Comments
    Where do I find the Engineering patch mentioned ?????
    Agreed I second the request. Where do I find the Engineering patch mentioned ?????
    updated the cool solution with solution.zip to download the required jar and jsp files
    We have followed the steps, but we still have problems enrolling devices (We have only tryed with iOS) through the Access manager. In our ADFS environment it works as expected.

    Is there anyone I can turn to to talk about this?
    Hi please do send email to me Chandra.tumula@netiq.com
    Top Contributors
    Version history
    Revision #:
    1 of 1
    Last update:
    ‎2019-01-08 21:07
    Updated by:
    Micro Focus Contributor
     
    The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.