Automatic hybrid Azure AD join for Windows 10 devices
Azure Active Directory (Azure AD) provides device management when Windows devices are registered with Azure AD. Azure AD can make sure devices meet organizations standards for security and compliance. Devices joined to a local on-premise Active Directory domain can join to Azure AD by configuring hybrid Azure AD joined devices. In this cool solution, you will learn how to configure hybrid Azure AD join for Windows devices to automatically register to Azure AD.
Why is this useful?
This solution will help to get on-premise devices to automatically register with Azure Active Directory. This will provide conditional access by checking the eligibility of the devices to access enterprise resources.
Prepare Azure AD for Automatic device Registration.
- Follow the Microsoft documentation below to create a service connection point.
-Tutorial: Configure hybrid Azure Active Directory joined devices manually
-Custom installation of Azure AD Connect ( at User Sign-in screen, select checkbox “Enable single sign-on”)
- DNS configuration (finish for Enterpriseregistration CNAME) Create DNS records for Office 365 using Windows-based DNS
- To manage devices using the Azure portal and enable the option “Users may register their devices with Azure AD” to “All” follow the Microsoft documentation.
How to manage devices using the Azure portal
NAM Configuration steps:
- Follow Kerberos contract creation NetIQ Access Manager document.
Sample configuration for Kerberos class:
- Create additional SPN as shown below.
- Create a Kerberos contract and make sure Kerberos working fine.
- Extract engineering patch zip file(Solution.zip), contents are: nidp-wstrust-iwa.jar, mex2.jsp
- Copy nidp-wstrust-iwa.jar to /opt/novell/nam/idp/webapps/nidp/WEB-INF/lib.
- Edit mex2.jsp find host/secure.cloudtest6.info to your domain like host/secure.coles.com.
- Copy mex2.jsp to /opt/novell/nam/idp/webapps/nidp/jsp.
- Modify web.xml at location /opt/novell/nam/idp/webapps/nidp/WEB-INF/web.xml.
- Add mex2.jsp to allowd list of jsp:
<display-name>NIDP Jsp Filter</display-name>
<description>The NIDP server JSP filter. Enforces authentication and
- 7.2 Add servlet mapping to mex2.jsp as mex endpoint
- Comment out existing mapping for mex
- Add mex2.jsp to allowd list of jsp:
- Restart IDP
- Test new mex endpoint as https://<<IDP>>/wstrust/sts/mex mex output should be an output of url.
- Login to NAM admin console and add these global parameters.
DEVICE_DOMAIN_JOIN_CONTRACT_ID = Kerberos contract ID
DEVICE_DOMAIN_JOIN_SEARCH_USER_STORE = AD where devices register and CN=computers,DC=<<domain>>,DC=<<domain>>
example cn=computers,DC=cloudtest,DC=info for cloudtest.info domain.
Screenshot of parameters configured:
- Update configuration
Note: if there are multiple IDP in a cluster do repeat above steps 4-9.
Control the hybrid Azure AD join of your devices.
Create group policy what device can join to Azure AD automatically. Follow the Microsoft documentation https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-control.
When all above steps are completed, domain-joined devices will automatically register with Azure Active Directory (AD). When the device restarts this automatic registration to Azure AD will be completed.
Screenshot of device registration command output: “dsregcmd /debug”.
Screenshot of the Azure console for registered devices:
Login to Microsoft Azure Portal and Navigate to Azure Active Directory and Devices.
Using PowerShell commands to query devices
- Open Microsoft Azure Active Directory Module for Windows PowerShell
- Connect to your Azure Active Directory tenant using command “Connect-MsolService”
- Enter Azure AD administrator credentials
- Execute the following command
The following additional options are available with dsregcmd command:
“dsregcmd /status” -> Shows device registration status
“dsregcmd / leave” -> deregisters device
SSO to Microsoft Azure Applications
- When device automatically registered to Azure AD, the following things happen.
- The device sends Kerberos token to NAM via WS-Trust protocol
- The device generates a certificate signing certificate (CSR) to Azure DRS and gets signed a certificate for that device
- The device generates the second certificate to use with the Primary Refresh Token (PRT) using user credentials
- The PRT is used for SSO for users when they access Azure AD applications.
Please share your comments!!