ADFS Workplace Join or Azure DRS ? RRS feed

  • Question

  • Good Morning

    Currently I am trying to find the best solution to use Workplace Join.
    ADFS 2012R2 DRS or Azure DRS with Device Write back. Which is the best solution...

    I have 2 concerns regarding this:

    1:It looks like from the documentation on TechNet that workplace join is not possible for Windows 10, Windows 10 mobile and Android to ADFS 2012R2 Device Registration. Is this a correct statement or is TechNet Outdated?
    And do you know if this will be added in a future update or will this only be in Srv2016?

    2: If I go for Azure DRS with Device write back (which is in preview) I can workplace join Windows10 and Windows10mobile + Android.
    The problem with this setup is that there is no separate Relaying Party for the Device Registration part. Every Microsoft Online service uses the "Microsoft Office 365 Identity Platform" in ADFS.

    So If only set a policy to allow devices which are Workplace joined (aka =registered) to Access E-mail, SharePoint or any other O365 app I cannot join a device to Workplace join. This because the device will fail to get a authentication token because the device is not workplace joined. 
    I searched online but It looks like that every WTREALM for a Microsoft Online service is filled with Microsoft Online, so it is not possible to set specific claim policy's for the Device Registration part.

    Does someone know any possibility to get around this problem ?

    I know you can leverage Intune conditional access for some applications, but this is not sufficient at the moment.

    For other Relaying Party Trusts  we can leverage the Device registration policy.

    Thanks in advance!


    Thursday, October 22, 2015 7:53 AM

All replies

  • Hello Nils,

    We are working on the query and would get back to you soon on this.

    Your patience is appreciated.



    Thursday, October 22, 2015 7:50 PM
  • Hello Nils,

    Windows 10, the only option is for device write back with aadconnect. 

    You will write a condition to look for isregistereduser exist.  I don’t think windows 10 would use True since the device isn’t registered to the user.  If someone doesn’t meet that you can force a mfa requirement.  One of my customers we recommended forcing the user to vpn into the network to make sure the machine was device registered.  And anything external would fail.  We had to use a series of conditions to make it happen but worked out well.

    Allow Rule 1<o:p></o:p>

    NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"])<o:p></o:p>

    && exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip",
    Value =~ "])<o:p></o:p>

    && exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path",
    Value == "/adfs/ls/"])  => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit",
    Value = "true");<o:p></o:p>


    Allow Rule 2<o:p></o:p>

    c:[Type == "http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser",
    Value =~ "^(?i)true$"]  => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit",
    Value = "true");<o:p></o:p>

    Best Regards

    Sadiqh Ahmed


    If a post answers your question, please click Mark As Answer on that post and Vote as Helpful.

    Friday, October 23, 2015 2:45 PM
  • Hi Sadiqh,

    Thank you for you response, but it is not exactly a solution for us as we also have Mobile Devices like IOS phones. Those Devices will always create a connection trough the WAP server and not direct to ADFS.

    So for Windows 10 we could leverage DirectAccess to register the devices if we are using it like you mentioned, but we still have 2 major problems there.

    1: In Windows 10 (Domain Joined) it is not possible to automatically Device Register a device. So all users need to do this manually.

    2: For Mobile Devices Like IOS we are not able to authenticate as they will be denied because they are always connecting to the WAP server. So they don't have a DRS certificate and are not able to create one.

    Will there be any solution for those 2 issues ?

    Tuesday, October 27, 2015 9:33 AM