Workplace Join/Device Registration to Azure AD for Local Domain joined Windows 7 and 2012


<A reference originated> https://jairocadena.com/2017/10/04/azuread-device-based-conditional-access-and-windows-78-1/https://azure.microsoft.com/en-us/documentation/articles/active-directory-conditional-access-automatic-device-registration-windows7/ https://azure.microsoft.com/en-us/documentation/articles/active-directory-conditional-access-automatic-device-registration/

 

<Pre-requisite>
Accounts between On-premise and Azure AD must be synchronized via AAD connect

 

<System Configuration check>

From DNS server,   

    

From ADFS server,
1. O365 federation

2. Enable device registration
Initialize-ADDeviceRegistration
Enable-AdfsDeviceRegistration
Set-AdfsDeviceRegistration -ServiceAccountIdentifier mfalab3\taehee
Get-AdfsDeviceRegistration

setspn -Q host/fs.mfalab3.com

 

3. Add claimrules


c:[Type == "https://schemas.microsoft.com/claims/authnmethodsreferences"]
=> issue(claim = c);

Open Powershell and run
Set-AdfsRelyingPartyTrust -TargetName "Microsoft Office 365 Identity Platform" -AllowedAuthenticationClassReferences wiaormultiauthn

 

From Domain joined Win7,
1. Try login to "https://portal.office.com", enter current login domain user account - "must login in without redirecting ADFS login page!! "

2. Download and Install "Workplace Join agent"
x64
x86

And run "C:\Program Files\Microsoft Workplace Join>AutoWorkplace.exe /join"

To leave, "C:\Program Files\Microsoft Workplace Join>AutoWorkplace.exe /leave"

 

<Result>

From Win7 and 2012

From Azure Portal