Note: This article was primarily created for macOS devices. Some information was presented in older articles, mainly Hybrid Azure AD Join. I'm not very familiar with macOS, so the information may not be precise. I tried to better understand how device authentication (identification) works to make it functional from macOS as well. In the end, I came across interesting information that I couldn't find described anywhere. I also added information about how it works on Android devices.
I'm very surprised that I couldn't find official documentation from Microsoft for most areas (and there isn't much unofficial documentation either). Microsoft only describes working with Windows everywhere. Other operating systems are supported, but I couldn't find any description of how registration to Azure AD is performed (or how to unregister). And overall, a description of how device authentication works - Device Authentication, and what needs to be done.
Type of connection to Azure AD - registered versus joined devices
A device can be registered or joined, or additionally enrolled in Intune. Possible variants (without Intune):
- AD Domain Joined - the device is joined to On-Premises AD DS (internal/local Active Directory)
- Azure AD Joined - the device is joined to Azure AD (cloud-only)
- Hybrid Azure AD Joined - the device is joined to On-Premises AD DS and registered in Azure AD
- Azure AD Registered - the device is registered in Azure AD, also referred to as Workplace Joined
Note: For a device to be identified as Hybrid Azure AD Joined in Azure AD, certain conditions must be met. It's not enough to just register an AD Domain Joined computer separately in Azure AD.
Device registered in Azure AD - Azure AD Registered Device
- Azure AD registered devices
- allows the use of Bring your own device (BYOD) and mobile devices for accessing organizational resources from personal devices
- we can register personal or company devices
- we don't need to log in with a company account on the device (we work on it with a local or domain account)
- a company Azure AD account is connected on the device for accessing organizational resources
- supported operating systems are Windows 10 and newer, iOS, Android, macOS, Ubuntu 20.04/22.04
- we can use SSO for cloud resources
- we can use device identity to control access to resources (Conditional Access Policies)
Registration to Azure AD - Azure AD Registration
Device registration to Azure AD involves creating an object of the device in Azure AD. We can do this in various ways, which depend on the operating system of the given device.
We often mention work application here in connection with Azure AD. This refers to an application where we log in with an Azure AD account and can use various Azure AD options. It can be one of the Microsoft 365 applications, such as MS Teams, Office, Sharepoint, etc., but also a non-Microsoft application that is connected to Azure AD as an Enterprise application.
Company Portal is a web page portal.manage.microsoft.com and an application for various types of operating systems. It primarily serves for registration and work with Intune. When registering with Intune, registration to Azure AD also takes place, so we can use it for this purpose in some places. For registration, the web page is not enough, but the application must be used.
Registration of Windows devices to Azure AD
Azure AD registration can be done during the first access to a work application or manually using the settings menu of Windows 10 or Windows 11.
Windows - registration when logging in with an Azure AD account
When we log in with an Azure AD account to a work application, a dialog may appear asking if we allow the organization to manage our device (Allow my organization to manage my device). If we agree, the Azure AD account we're currently logging in with will be connected to our account that we're logged into the computer with. Our device will also be registered in Azure AD.
Windows - manual registration
- Settings - Accounts - Access work or school
- select Connect
- log in with an Azure AD account
- in the settings, we'll then see our Work or school account
Windows - canceling registration
- Settings - Accounts - Access work or school
- click on the account
- select Disconnect and confirm the warning
Registration of macOS devices to Azure AD
Azure AD registration can be done using the Company Portal application, which we can download through the web Company Portal or directly from aka.ms/EnrollMyMac.
macOS - registration using Company Portal
Company Portal is used for registration to Intune, but the first step is registration to Azure AD. We can do this and then we don't need to install the Management Profile. During tests, the registration worked for me even when macOS device registration wasn't enabled in Intune.
- launch the Company Portal application
- log in with an Azure AD account - Sign in
- a wizard for setting up access to the organization is offered, we start with the Begin button (the Postpone button launches the Company Portal application without device registration)
- privacy information is displayed, what the company can and cannot see, we continue with Continue
- device registration to Azure AD takes place
- we end here if we don't want to register with Intune
Registration of Android (and iOS) devices to Azure AD
Microsoft states (Azure AD registered devices) that on mobile devices, we can perform registration to Azure AD using the Intune Company Portal or Microsoft Authenticator application. But I couldn't find any more detailed information. I only performed tests on Android, so I don't know how similar iOS is. While searching for an official description of Android device registration, I came across a mention of an interesting method of registration using Android settings.
Android - registration by adding a work account - Workplace Join
- Settings - Accounts
- click on Add account
- select Work account
- log in with an Azure AD account
- a certificate is issued for the device, default name
microsoft workaccount
(we can change it)
Accounts that we add using Android settings are also visible in the Microsoft Authenticator application and vice versa.
Note: On Xiaomi phones, connected Work accounts are visible, but there's no option to add a new one.
Android - registration using Microsoft Authenticator
Using the Microsoft Authenticator application, we can register our device to Azure AD during the process of adding an account for multi-factor authentication (via QR code) or setting up passwordless login.
Or we can perform registration during manual account addition:
- Add account
- select Work or school account and Sign in
- log in with an Azure AD account
- the next step is device registration, which we can skip; during registration, no certificate is issued
We can also trigger device registration to Azure AD in the menu:
- Settings - Device Registration
Android - registration using Company Portal
According to my tests, the Intune Company Portal application on Android can only be used for registration to Intune. At that time, registration to Azure AD also takes place. But I couldn't manage to perform only registration to Azure AD, like on macOS. If we don't have Android device registration to Intune enabled, we won't perform any registration using Company Portal.
Android - canceling registration
We can remove the work account from the system.
- Settings - Accounts - select the work account
- choose Remove account
- correct removal takes place, including canceling registration in Azure AD
Or use the Microsoft Authenticator application.
- Settings - Device Registration
- click on Unregister device
Device Authentication - device verification (identification)
When we log in to a work application using an Azure AD account, we can verify not only the user (User Authentication) but also the device (Device Authentication). The user is authenticated by entering their email (identification of the user object in Azure AD) and using a specific authentication method, which can be a password, but also Windows Hello for Business or a FIDO2 security key, or a certain MFA method.
If we want to verify the device, there must similarly exist a device object in Azure AD. In other words, a device identity. This is created by registering or joining the device to Azure AD and it receives a unique Device ID
. Authentication is performed (primarily) using the device's certificate.
If we log in with an Azure AD account to an application from a computer that is registered or joined to Azure AD, Device Authentication can automatically take place. This allows us to obtain the Device ID (device identification) in Azure AD and we can work with it further, for example using Conditional Access Policy. Thus, we have identified the device from which the user is connecting, and we can restrict access to only certain devices.
Device authentication only works on certain combinations of operating system and application, most often a browser. Officially described in Supported browsers. Other conditions must also be met, which we will discuss further.
Supported OS are Windows 10 and newer, Windows Server 2019, 2022, macOS, iOS, and Android. The best supported browser is Microsoft Edge. Also often Chrome and sometimes Firefox and Safari. Firefox and Chrome on Windows require certain configuration, more in Browser settings for device authentication and SSO usage. Edge, and Safari on macOS, work automatically, as does Chrome on Android.
Azure AD login information
In the Azure Active Directory admin center, we can look at the user's sign-in logs, and if device authentication took place, we will see its identification here.
We should always see the identification of the operating system and possibly the browser used. For further information, Device Authentication must take place. Then we have the Device ID
and we can click through directly to the device. And information about the join type, whether it's managed (via MDM (Intune)) and compliant with policies is added.
We can view logs centrally under Users - Sign-in logs or for a specific user under Users - user - Sign-in logs. We open the selected log and switch to the Device info tab.
Note: Be aware that records are displayed here with a delay of several minutes.
MS-Organization-Access Certificates
Device authentication is done using a client certificate. The certificate is issued not only on Windows, but also on macOS, Android and iOS.
When joining or registering a device to Azure AD, the Azure Device Registration Service (Azure DRS) is used, which writes the device object to Azure AD and issues a certificate for the device (from the request sent by the client). Certain information can be found in How it works: Device registration.
For devices, a certificate is issued from MS-Organization-Access
and its name / subject (Subject Common Name) is Device ID
/ objectGUID
. If a Windows computer is registered in Azure AD (Azure AD Registered), it is stored in the certificate store of the given user (certmgr.msc
). If it is (hybrid) joined to Azure AD (Azure AD Joined or Hybrid Azure AD Joined), it is stored in the certificate store of the given computer (certlm.msc
).
The certificate subject contains the ID of the computer object in Azure AD, i.e., the Device ID
. If the computer is Hybrid Azure AD Joined, it also corresponds to the value of the objectGUID
attribute of the computer in AD DS. The presence of the certificate directly determines whether the computer is registered/joined to Azure AD. An interesting test is described in The TenantID from Toronto.
On Windows (allegedly also iOS and Android), the certificate is used during the authentication process to obtain the Primary Refresh Token (PRT). This then contains the Device ID
and is used to identify the device during each user login. More information What is a Primary Refresh Token?
Information about the certificate can also be found using the command dsregcmd /status
, which displays information about the device status in Azure AD. If the device is joined to Azure AD, we have a Device Details section where we can see the certificate Thumbprint and other details.
+----------------------------------------------------------------------+ | Device Details | +----------------------------------------------------------------------+ DeviceId : 70a8d986-5ef7-4b24-9cc6-xxxxxxxxxxxx Thumbprint : 163407A5886B2B23849D3E278590B34XXXXXXXXX DeviceCertificateValidity : [ 2022-09-20 10:39:44.000 UTC -- 2032-09-20 11:09:44.000 UTC ] KeyContainerId : 9aae1c87-d4db-4709-ab7b-2a213e170079 KeyProvider : Microsoft Platform Crypto Provider TpmProtected : YES DeviceAuthStatus : SUCCESS
If the device is registered in Azure AD, we have a Work Account section.
+----------------------------------------------------------------------+ | Work Account 1 | +----------------------------------------------------------------------+ WorkplaceDeviceId : fe98f6f1-5b50-4d10-9711-xxxxxxxxxxxx WorkplaceThumbprint : A8220A0A7DD4AB3EBDE1C5E7380DF85XXXXXXXXX DeviceCertificateValidity : [ 2021-07-26 13:16:17.000 UTC -- 2031-07-26 13:46:17.000 UTC ] KeyContainerId : 8f755753-6abd-47dc-8052-xxxxxxxxxxxx KeyProvider : Microsoft Software Key Storage Provider TpmProtected : NO WorkplaceIdp : login.windows.net WorkplaceTenantId : bb9528c8-3d14-4888-91fd-xxxxxxxxxxxx WorkplaceTenantName : Company Inc. WorkplaceMdmUrl : WorkplaceSettingsUrl : NgcSet : NO
Device authentication process during user login
Windows devices
If we connect from Windows 10 (probably other versions too), using a supported (and configured) web browser Edge, Chrome or Firefox, to a company application, device authentication will happen automatically in the background. In the Sign-in log, we will see device identification for each user login. We may or may not work with it using Conditional Access Policy. Probably, the Primary Refresh Token (PRT), which contains device identification, is used for user authentication.
The important thing is that every login from Windows that is registered or joined to Azure AD contains device identification.
Devices with macOS, Android, and iOS
For a long time, I had the impression that device authentication doesn't work (doesn't happen) on macOS and Android. Until I quite accidentally discovered that special rules apply here. I verified this with many practical experiments on macOS and Android (and it should be the same for iOS). In the official documentation, I found only one mention (and I couldn't find any description of this behavior elsewhere) that partially relates to this. It's a description of Conditional Access Policy when we require the device to be Compliant - Require device to be marked as compliant.
On Windows 7, iOS, Android, macOS, and some third-party web browsers, Azure AD identifies the device by using a client certificate that is provisioned when the device is registered with Azure AD. When a user first signs in through the browser, the user is prompted to select the certificate. The user must select this certificate before they can continue to use the browser.
Unlike Windows 10 and newer, which support PRT, device identification in the browser on iOS, Android and macOS happens directly using a certificate, which we must select/confirm during login. The crucial point, however, is that by default, Device Authentication does not occur at all from these devices.
If we set a Conditional Access Policy that requires a Compliant device, then during login, an event with status Interrupted is logged in the Sign-in log with the text:
This is not an error - this is an interrupt that triggers device authentication when required due to a Conditional Access policy or because the application or resource requested the device ID in a token. This code alone does not indicate a failure on your users part to sign in. The sign in logs may indicate that the device authentication challenge was passed succesfully or failed.
Conditional Access Policy for activating device authentication
Device authentication (use of certificate) is required during the authentication process only if some property that needs device identification is required for access to the application. This means that we have set up a Conditional Access Policy that requires the device to be marked as Compliant or be Hybrid Azure AD Joined (maybe some other variant, but I only discovered these two).
Of course, macOS, Android, or iOS will never be Hybrid Azure AD Joined, so access will be denied (but the device identification will be seen in the log). If, when requiring Compliant, the device is not registered in Intune, it will proceed to the wizard for its registration (until then, we will not access the application).
Later, another option occurred to me. We can enable the Conditional Access Policy in Report-only
mode. So then logging into the application will work, but it will require device identification if possible (when I didn't have a certificate issued on Android, the login proceeded without verification). When we enable this mode, the policy even displays the information:
Policies in Report-only mode requiring compliant devices may prompt users on macOS, iOS, Android, and Linux to select a device certificate. Learn more
Device Authentication with macOS
macOS is a peculiar operating system, and we may encounter various issues. If we want to test (or directly use) Device Authentication, we create a Conditional Access Policy, see above. For example, for access to www.office.com, we require a Compliant device.
We register the computer in Azure AD and restart it. We use Safari, Edge, or Chrome to access this address and log in with an Azure AD account. Immediately after, a dialog pops up stating that the address device.login.microsoftonline.com requires client certificate authentication and offers a certificate from MS-Organization-Access
. This is our required device authentication.
After confirmation, another dialog pops up stating that the browser wants to log in using the key Microsoft Workplace Join Key
. We must enter the password for the keychain named login. When entering the password, we can choose Allow or Always Allow, which should add the application to exceptions, and subsequently, it should not be necessary to enter the password. I couldn't find any official information about the Microsoft Workplace Join Key, only various discussions about issues.
Here, during tests, I encountered problems (often the same ones mentioned by people in discussions). It should be the password of the logged-in user (If you need to update your keychain password on Mac), but it didn't work for me (in many attempts on multiple devices).
The advice is to open the Keychain Access application, where in Default Keychains - Login, we find the private key Microsoft Workplace Join Key. We set Access Control on it, either allowing access to all applications or adding our browser to exceptions Always allow access by these applications. On one test MacBook, access worked immediately after this, on another, it still asked for the password, but the user's password worked.
The image shows the default key settings. We can add, for example, the Safari browser.
Device Authentication with Android
If we register an Android device in Azure AD using the Microsoft Authenticator app (which is often the case), a certificate is not issued. We must do this manually in the Microsoft Authenticator or Intune Company Portal app.
Issuing a certificate for the device in Microsoft Authenticator
- Menu - Settings - Device Registration
- click Enable browser access
- confirm continuation with Continue
- select the certificate type and can change the name (default
microsoft workaccount
) - confirm with OK
Issuing a certificate for the device in Company Portal
- Menu - Settings
- in Enable browser access, click Enable
- select the certificate type and can change the name (default
microsoft workaccount
) - confirm with OK
Verifying that the certificate is issued in the system (list of user certificates in the system, does not display details)
- Xiaomi MIUI
- Settings - Passwords & security - Privacy - Encryption & credentials - User credentials
- classic Android
- Settings - Security - Encryption & credentials - User credentials
Logging in with device authentication. On a registered Android device, we can use Chrome or Edge to access a company application (for which we have set a Conditional Access Policy). We log in with an Azure AD account and then must select/confirm the certificate for authentication at device.login.microsoftonline.com.
Requiring Compliant and Device Not Registered in Intune
If we connect to a company application from any supported operating system, log in with an Azure AD account, and device authentication occurs (we may not see it, but we may, for example, select a certificate), a dialog may then appear:
Set up your device to get access COMPANY requires you to secure this device before you can access COMPANY email, files, and data. If you go to other apps or sites, they may recognize that you are signed in. You can enroll your device with COMPANY or sign out
If we click Continue, the Company Portal web page opens to register the device in Intune.
The reason is that for access to the application, we have created a Conditional Access Policy that requires the device to be Compliant.
There are no comments yet.