Azure Active Directory (Azure AD) provides device management when Windows devices are registered with Azure AD. Azure AD can make sure devices meet organizations standards for security and compliance. Devices joined to a local on-premise Active Directory domain can join to Azure AD by configuring hybrid Azure AD joined devices. In this cool solution, you will learn how to configure hybrid Azure AD join for Windows devices to automatically register to Azure AD.
This solution will help to get on-premise devices to automatically register with Azure Active Directory. This will provide conditional access by checking the eligibility of the devices to access enterprise resources.
Prepare Azure AD for Automatic device Registration.
NAM Configuration steps:
<filter> <filter-name>nidpJspFilter</filter-name> <display-name>NIDP Jsp Filter</display-name> <description>The NIDP server JSP filter. Enforces authentication and handles clustering.</description> <filter-class>com.novell.nidp.servlets.filters.jsp.NIDPJspFilter</filter-class> <init-param> <param-name>publicAccess</param-name> <param-value>main.jsp;err.jsp;err2.jsp;login.jsp;nmaslogin.jsp;logoutSuccess.jsp;banner.jsp;nav.jsp;menus.jsp;footer.jsp;content.jsp;cards.jsp;title.jsp;error.jsp;curcard.jsp;createacct.jsp;x509err.jsp;clearCookieAuth.jsp;totpregistration.jsp;socialauth.jsp;socialauth_provision.jsp;socialauth_return.jsp;mex.jsp;errorPage.jsp;DeviceRegistrationConsent.jsp;login_snippet.jsp;mex2.jsp</param-value> </init-param> </filter>
<servlet> <servlet-name>NetIQSTS12MEX</servlet-name> <jsp-file>/jsp/mex2.jsp</jsp-file> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>NetIQSTS12MEX</servlet-name> <url-pattern>/wstrust/sts/mex</url-pattern> </servlet-mapping>
<!--<servlet-mapping> <servlet-name>NetIQSTS</servlet-name> <url-pattern>/wstrust/sts/mex</url-pattern> </servlet-mapping> -->
DEVICE_DOMAIN_JOIN_CONTRACT_ID = Kerberos contract ID
DEVICE_DOMAIN_JOIN_SEARCH_USER_STORE = AD where devices register and CN=computers,DC=<<domain>>,DC=<<domain>>
example cn=computers,DC=cloudtest,DC=info for cloudtest.info domain.
Screenshot of parameters configured:
Note: if there are multiple IDP in a cluster do repeat above steps 4-9.
Create group policy what device can join to Azure AD automatically. Follow the Microsoft documentation https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-control.
When all above steps are completed, domain-joined devices will automatically register with Azure Active Directory (AD). When the device restarts this automatic registration to Azure AD will be completed.
Screenshot of device registration command output: “dsregcmd /debug”.
Screenshot of the Azure console for registered devices:
Login to Microsoft Azure Portal and Navigate to Azure Active Directory and Devices.
Using PowerShell commands to query devices
The following additional options are available with dsregcmd command:
“dsregcmd /status” -> Shows device registration status
“dsregcmd / leave” -> deregisters device
Please share your comments!!
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.