Cybersecurity
DevOps Cloud
IT Operations Cloud
Azure Active Directory (Azure AD) provides device management when Windows devices are registered with Azure AD. Azure AD can make sure devices meet organizations standards for security and compliance. Devices joined to a local on-premise Active Directory domain can join to Azure AD by configuring hybrid Azure AD joined devices. In this cool solution, you will learn how to configure hybrid Azure AD join for Windows devices to automatically register to Azure AD.
This solution will help to get on-premise devices to automatically register with Azure Active Directory. This will provide conditional access by checking the eligibility of the devices to access enterprise resources.
Prepare Azure AD for Automatic device Registration.
NAM Configuration steps:
<filter>
<filter-name>nidpJspFilter</filter-name>
<display-name>NIDP Jsp Filter</display-name>
<description>The NIDP server JSP filter. Enforces authentication and
handles clustering.</description>
<filter-class>com.novell.nidp.servlets.filters.jsp.NIDPJspFilter</filter-class>
<init-param>
<param-name>publicAccess</param-name>
<param-value>main.jsp;err.jsp;err2.jsp;login.jsp;nmaslogin.jsp;logoutSuccess.jsp;banner.jsp;nav.jsp;menus.jsp;footer.jsp;content.jsp;cards.jsp;title.jsp;error.jsp;curcard.jsp;createacct.jsp;x509err.jsp;clearCookieAuth.jsp;totpregistration.jsp;socialauth.jsp;socialauth_provision.jsp;socialauth_return.jsp;mex.jsp;errorPage.jsp;DeviceRegistrationConsent.jsp;login_snippet.jsp;mex2.jsp</param-value>
</init-param>
</filter>
<servlet>
<servlet-name>NetIQSTS12MEX</servlet-name>
<jsp-file>/jsp/mex2.jsp</jsp-file>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>NetIQSTS12MEX</servlet-name>
<url-pattern>/wstrust/sts/mex</url-pattern>
</servlet-mapping>
<!--<servlet-mapping>
<servlet-name>NetIQSTS</servlet-name>
<url-pattern>/wstrust/sts/mex</url-pattern>
</servlet-mapping>
-->
DEVICE_DOMAIN_JOIN_CONTRACT_ID = Kerberos contract ID
DEVICE_DOMAIN_JOIN_SEARCH_USER_STORE = AD where devices register and CN=computers,DC=<<domain>>,DC=<<domain>>
Create group policy what device can join to Azure AD automatically. Follow the Microsoft documentation https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-control.
When all above steps are completed, domain-joined devices will automatically register with Azure Active Directory (AD). When the device restarts this automatic registration to Azure AD will be completed.
Screenshot of device registration command output: “dsregcmd /debug”.
Screenshot of the Azure console for registered devices:
Login to Microsoft Azure Portal and Navigate to Azure Active Directory and Devices.
Using PowerShell commands to query devices
The following additional options are available with dsregcmd command:
“dsregcmd /status” -> Shows device registration status
“dsregcmd / leave” -> deregisters device
https://docs.microsoft.com/en-us/azure/active-directory/devices/faq
https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current
Please share your comments!!
Download the document file here.