Introduction

Azure Active Directory (Azure AD) provides device management when Windows devices are registered with Azure AD. Azure AD can make sure devices meet organizations standards for security and compliance. Devices joined to a local on-premise Active Directory domain can join to Azure AD by configuring hybrid Azure AD joined devices. In this cool solution, you will learn how to configure hybrid Azure AD join for Windows devices to automatically register to Azure AD.

Why is this useful?

This solution will help to get on-premise devices to automatically register with Azure Active Directory. This will provide conditional access by checking the eligibility of the devices to access enterprise resources.

Solution

Prepare Azure AD for Automatic device Registration.

  1. Follow the Microsoft documentation below to create a service connection point.
    Tutorial: Configure hybrid Azure Active Directory joined devices manually
    Custom installation of Azure AD Connect ( at User Sign-in screen, select checkbox “Enable single sign-on”)
  2. DNS configuration (finish for Enterpriseregistration CNAME) Create DNS records for Office 365 using Windows-based DNS
  3. To manage devices using the Azure portal and enable the option “Users may register their devices with Azure AD” to “All” follow the Microsoft documentation.
    How to manage devices using the Azure portal

NAM Configuration steps:

  1. Follow Kerberos contract creation NetIQ Access Manager document.
    Sample configuration for Kerberos class:

    Kerberos class

  2. Create additional SPN as shown below.

    SPN AD

  3. Create a Kerberos contract and make sure Kerberos working fine.
  4. Extract engineering patch zip file(Solution.zip), contents are: nidp-wstrust-iwa.jar, mex2.jsp
  5. Copy nidp-wstrust-iwa.jar to /opt/novell/nam/idp/webapps/nidp/WEB-INF/lib.
  6. Edit mex2.jsp find host/secure.cloudtest6.info to your domain like host/secure.coles.com.
  7. Copy mex2.jsp to /opt/novell/nam/idp/webapps/nidp/jsp.
  8. Modify web.xml at location /opt/novell/nam/idp/webapps/nidp/WEB-INF/web.xml.
    1. Add mex2.jsp to allowd list of jsp:
      <filter>
      	<filter-name>nidpJspFilter</filter-name>
      	<display-name>NIDP Jsp Filter</display-name>
      	<description>The NIDP server JSP filter. Enforces authentication and
      		handles clustering.</description>
      	<filter-class>com.novell.nidp.servlets.filters.jsp.NIDPJspFilter</filter-class>
      	<init-param>
      		<param-name>publicAccess</param-name>
      		<param-value>main.jsp;err.jsp;err2.jsp;login.jsp;nmaslogin.jsp;logoutSuccess.jsp;banner.jsp;nav.jsp;menus.jsp;footer.jsp;content.jsp;cards.jsp;title.jsp;error.jsp;curcard.jsp;createacct.jsp;x509err.jsp;clearCookieAuth.jsp;totpregistration.jsp;socialauth.jsp;socialauth_provision.jsp;socialauth_return.jsp;mex.jsp;errorPage.jsp;DeviceRegistrationConsent.jsp;login_snippet.jsp;mex2.jsp</param-value>
      	</init-param>
      </filter>
    2. 7.2 Add servlet mapping to mex2.jsp as mex endpoint
      <servlet>
      	<servlet-name>NetIQSTS12MEX</servlet-name>
      	<jsp-file>/jsp/mex2.jsp</jsp-file>
      	<load-on-startup>1</load-on-startup>
      </servlet>
      <servlet-mapping>
      	<servlet-name>NetIQSTS12MEX</servlet-name>
      	<url-pattern>/wstrust/sts/mex</url-pattern>
      </servlet-mapping>
    3. Comment out existing mapping for mex
      <!--<servlet-mapping>
      	<servlet-name>NetIQSTS</servlet-name>
      	<url-pattern>/wstrust/sts/mex</url-pattern>
      </servlet-mapping>
      -->
      
  9. Restart IDP
  10. Test new mex endpoint as https://<<IDP>>/wstrust/sts/mex mex output should be an output of url.
  11. Login to NAM admin console and add these global parameters.
    DEVICE_DOMAIN_JOIN_CONTRACT_ID = Kerberos contract ID

    Kerberos Contract

    DEVICE_DOMAIN_JOIN_SEARCH_USER_STORE = AD where devices register and CN=computers,DC=<<domain>>,DC=<<domain>>

    example cn=computers,DC=cloudtest,DC=info for cloudtest.info domain.

    Userstore

    Screenshot of parameters configured:

    Config Params

  12. Update configuration

    Note: if there are multiple IDP in a cluster do repeat above steps 4-9.

Control the hybrid Azure AD join of your devices.

Create group policy what device can join to Azure AD automatically. Follow the Microsoft documentation https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-control.

When all above steps are completed, domain-joined devices will automatically register with Azure Active Directory (AD). When the device restarts this automatic registration to Azure AD will be completed.

Screenshot of device registration command output: “dsregcmd /debug”.

dsregcmd debug

dsregcmd debug output

Screenshot of the Azure console for registered devices:

Azure portal

Login to Microsoft Azure Portal and Navigate to Azure Active Directory and Devices.

Using PowerShell commands to query devices

  1. Open Microsoft Azure Active Directory Module for Windows PowerShell
  2. Connect to your Azure Active Directory tenant using command “Connect-MsolService”
  3. Enter Azure AD administrator credentials
  4. Execute the following command

“Get-MsolDevice -All”

Powershell devices list

Additional Information

The following additional options are available with dsregcmd command:
“dsregcmd /status” -> Shows device registration status
“dsregcmd / leave” -> deregisters device
https://docs.microsoft.com/en-us/azure/active-directory/devices/faq

https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current

SSO to Microsoft Azure Applications

  1. When device automatically registered to Azure AD, the following things happen.
    1. The device sends Kerberos token to NAM via WS-Trust protocol
    2. The device generates a certificate signing certificate (CSR) to Azure DRS and gets signed a certificate for that device
    3. The device generates the second certificate to use with the Primary Refresh Token (PRT) using user credentials
    4. The PRT is used for SSO for users when they access Azure AD applications.

References:

  • https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-control
  • https://docs.microsoft.com/en-us/office365/admin/dns/create-dns-records-using-windows-based-dns?redirectSourcePath=%252fen-us%252farticle%252fCreate-DNS-records-for-Office-365-using-Windows-based-DNS-9eec911d-5773-422c-9593-40e1147ffbde&view=o365-worldwide#bkmk_add_cname
  • https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-manual-steps
  • https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-federated-domains
  • https://jairocadena.com/2016/02/01/azure-ad-join-what-happens-behind-the-scenes/
  • https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration
  • Please share your comments!!

    Download the document file here.

    2 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 5 (2 votes, average: 5.00 out of 5)
    You need to be a registered member to rate this post.
    Loading...

    Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

    Leave a Reply

    5 Comments

    By: cstumula
    Jan 8, 2019
    1:07 pm
    Reads:
    2,307
    Score:
    5
    Authentication Automation Cloud Computing Cloud Security Configuration Customizing Data Breach DirXML Drivers End User Management Identity Manager Importing-Exporting / ICE/ LDIF Intelligent Workload Management IT Process Automation IT Security Knowledge Depot LDAP Monitoring Open Enterprise Server Passwords Reporting Secure Access Supported Troubleshooting Workflow