EN 
05.11.2024 Miriam WELCOME IN MY WORLD

This website is originally written in the Czech language. Only part of the content is machine (AI) translated into English. The translation may not be exact and may contain errors.

Tento článek si můžete zobrazit v originální české verzi. You can view this article in the original Czech version.
Windows, macOS a Android registrace do Azure AD a autentizace zařízení

Windows, macOS and Android Azure AD enrollment and device authentication

| Petr Bouška - Samuraj |
Let's take a look at the possible ways to enroll devices into Azure AD / Entra ID. We'll focus on macOS and Android (iOS should be similar), but we'll also cover Windows. In the second part, we'll discuss Device Authentication, which is the authentication of a device when logging into Azure AD that we can use for device identification and access control. Again, it's more interesting working on macOS and Android, which has some limitations, whereas Windows simply works automatically.
displayed: 3 153x (3 035 CZ, 118 EN) | Comments [0]
Here's the translated HTML, preserving the original structure:

Note: This article was primarily created for macOS devices. Some information was presented in older articles, mainly Hybrid Azure AD Join. I'm not very familiar with macOS, so the information may not be precise. I tried to better understand how device authentication (identification) works to make it functional from macOS as well. In the end, I came across interesting information that I couldn't find described anywhere. I also added information about how it works on Android devices.

I'm very surprised that I couldn't find official documentation from Microsoft for most areas (and there isn't much unofficial documentation either). Microsoft only describes working with Windows everywhere. Other operating systems are supported, but I couldn't find any description of how registration to Azure AD is performed (or how to unregister). And overall, a description of how device authentication works - Device Authentication, and what needs to be done.

Type of connection to Azure AD - registered versus joined devices

A device can be registered or joined, or additionally enrolled in Intune. Possible variants (without Intune):

  • AD Domain Joined - the device is joined to On-Premises AD DS (internal/local Active Directory)
  • Azure AD Joined - the device is joined to Azure AD (cloud-only)
  • Hybrid Azure AD Joined - the device is joined to On-Premises AD DS and registered in Azure AD
  • Azure AD Registered - the device is registered in Azure AD, also referred to as Workplace Joined

Note: For a device to be identified as Hybrid Azure AD Joined in Azure AD, certain conditions must be met. It's not enough to just register an AD Domain Joined computer separately in Azure AD.

Device registered in Azure AD - Azure AD Registered Device

  • Azure AD registered devices
  • allows the use of Bring your own device (BYOD) and mobile devices for accessing organizational resources from personal devices
  • we can register personal or company devices
  • we don't need to log in with a company account on the device (we work on it with a local or domain account)
  • a company Azure AD account is connected on the device for accessing organizational resources
  • supported operating systems are Windows 10 and newer, iOS, Android, macOS, Ubuntu 20.04/22.04
  • we can use SSO for cloud resources
  • we can use device identity to control access to resources (Conditional Access Policies)

Registration to Azure AD - Azure AD Registration

Device registration to Azure AD involves creating an object of the device in Azure AD. We can do this in various ways, which depend on the operating system of the given device.

We often mention work application here in connection with Azure AD. This refers to an application where we log in with an Azure AD account and can use various Azure AD options. It can be one of the Microsoft 365 applications, such as MS Teams, Office, Sharepoint, etc., but also a non-Microsoft application that is connected to Azure AD as an Enterprise application.

Company Portal is a web page portal.manage.microsoft.com and an application for various types of operating systems. It primarily serves for registration and work with Intune. When registering with Intune, registration to Azure AD also takes place, so we can use it for this purpose in some places. For registration, the web page is not enough, but the application must be used.

Registration of Windows devices to Azure AD

Azure AD registration can be done during the first access to a work application or manually using the settings menu of Windows 10 or Windows 11.

Windows - registration when logging in with an Azure AD account

When we log in with an Azure AD account to a work application, a dialog may appear asking if we allow the organization to manage our device (Allow my organization to manage my device). If we agree, the Azure AD account we're currently logging in with will be connected to our account that we're logged into the computer with. Our device will also be registered in Azure AD.

Azure AD Registration

Windows - manual registration

  • Settings - Accounts - Access work or school
  • select Connect
  • log in with an Azure AD account
  • in the settings, we'll then see our Work or school account
Windows - Accounts - Access work or school

Windows - canceling registration

  • Settings - Accounts - Access work or school
  • click on the account
  • select Disconnect and confirm the warning

Registration of macOS devices to Azure AD

Azure AD registration can be done using the Company Portal application, which we can download through the web Company Portal or directly from aka.ms/EnrollMyMac.

macOS - registration using Company Portal

Company Portal is used for registration to Intune, but the first step is registration to Azure AD. We can do this and then we don't need to install the Management Profile. During tests, the registration worked for me even when macOS device registration wasn't enabled in Intune.

  • launch the Company Portal application
  • log in with an Azure AD account - Sign in
  • a wizard for setting up access to the organization is offered, we start with the Begin button (the Postpone button launches the Company Portal application without device registration)
  • privacy information is displayed, what the company can and cannot see, we continue with Continue
macOS Company Portal registrace do Azure AD 1
  • device registration to Azure AD takes place
  • we end here if we don't want to register with Intune
macOS Company Portal registrace do Azure AD 2

Registration of Android (and iOS) devices to Azure AD

Microsoft states (Azure AD registered devices) that on mobile devices, we can perform registration to Azure AD using the Intune Company Portal or Microsoft Authenticator application. But I couldn't find any more detailed information. I only performed tests on Android, so I don't know how similar iOS is. While searching for an official description of Android device registration, I came across a mention of an interesting method of registration using Android settings.

Android - registration by adding a work account - Workplace Join

  • Settings - Accounts
  • click on Add account
  • select Work account
Android - Add Work account
  • log in with an Azure AD account
  • a certificate is issued for the device, default name microsoft workaccount (we can change it)
Android - Add Work account - certificate

Accounts that we add using Android settings are also visible in the Microsoft Authenticator application and vice versa.

Note: On Xiaomi phones, connected Work accounts are visible, but there's no option to add a new one.

Android - registration using Microsoft Authenticator

Using the Microsoft Authenticator application, we can register our device to Azure AD during the process of adding an account for multi-factor authentication (via QR code) or setting up passwordless login.

Or we can perform registration during manual account addition:

  • Add account
  • select Work or school account and Sign in
  • log in with an Azure AD account
  • the next step is device registration, which we can skip; during registration, no certificate is issued
Android - Microsoft Authenticator - Device Registration

We can also trigger device registration to Azure AD in the menu:

  • Settings - Device Registration

Android - registration using Company Portal

According to my tests, the Intune Company Portal application on Android can only be used for registration to Intune. At that time, registration to Azure AD also takes place. But I couldn't manage to perform only registration to Azure AD, like on macOS. If we don't have Android device registration to Intune enabled, we won't perform any registration using Company Portal.

Android - canceling registration

We can remove the work account from the system.

  • Settings - Accounts - select the work account
  • choose Remove account
  • correct removal takes place, including canceling registration in Azure AD

Or use the Microsoft Authenticator application.

  • Settings - Device Registration
  • click on Unregister device
Android - Microsoft Authenticator - Unregister device

Device Authentication - device verification (identification)

When we log in to a work application using an Azure AD account, we can verify not only the user (User Authentication) but also the device (Device Authentication). The user is authenticated by entering their email (identification of the user object in Azure AD) and using a specific authentication method, which can be a password, but also Windows Hello for Business or a FIDO2 security key, or a certain MFA method.

If we want to verify the device, there must similarly exist a device object in Azure AD. In other words, a device identity. This is created by registering or joining the device to Azure AD and it receives a unique Device ID. Authentication is performed (primarily) using the device's certificate.

If we log in with an Azure AD account to an application from a computer that is registered or joined to Azure AD, Device Authentication can automatically take place. This allows us to obtain the Device ID (device identification) in Azure AD and we can work with it further, for example using Conditional Access Policy. Thus, we have identified the device from which the user is connecting, and we can restrict access to only certain devices.

Device authentication only works on certain combinations of operating system and application, most often a browser. Officially described in Supported browsers. Other conditions must also be met, which we will discuss further.

Supported OS are Windows 10 and newer, Windows Server 2019, 2022, macOS, iOS, and Android. The best supported browser is Microsoft Edge. Also often Chrome and sometimes Firefox and Safari. Firefox and Chrome on Windows require certain configuration, more in Browser settings for device authentication and SSO usage. Edge, and Safari on macOS, work automatically, as does Chrome on Android.

Azure AD login information

In the Azure Active Directory admin center, we can look at the user's sign-in logs, and if device authentication took place, we will see its identification here.

We should always see the identification of the operating system and possibly the browser used. For further information, Device Authentication must take place. Then we have the Device ID and we can click through directly to the device. And information about the join type, whether it's managed (via MDM (Intune)) and compliant with policies is added.

We can view logs centrally under Users - Sign-in logs or for a specific user under Users - user - Sign-in logs. We open the selected log and switch to the Device info tab.

Note: Be aware that records are displayed here with a delay of several minutes.

Azure AD Sign-in logs - Device info

MS-Organization-Access Certificates

Device authentication is done using a client certificate. The certificate is issued not only on Windows, but also on macOS, Android and iOS.

When joining or registering a device to Azure AD, the Azure Device Registration Service (Azure DRS) is used, which writes the device object to Azure AD and issues a certificate for the device (from the request sent by the client). Certain information can be found in How it works: Device registration.

For devices, a certificate is issued from MS-Organization-Access and its name / subject (Subject Common Name) is Device ID / objectGUID. If a Windows computer is registered in Azure AD (Azure AD Registered), it is stored in the certificate store of the given user (certmgr.msc). If it is (hybrid) joined to Azure AD (Azure AD Joined or Hybrid Azure AD Joined), it is stored in the certificate store of the given computer (certlm.msc).

The certificate subject contains the ID of the computer object in Azure AD, i.e., the Device ID. If the computer is Hybrid Azure AD Joined, it also corresponds to the value of the objectGUID attribute of the computer in AD DS. The presence of the certificate directly determines whether the computer is registered/joined to Azure AD. An interesting test is described in The TenantID from Toronto.

On Windows (allegedly also iOS and Android), the certificate is used during the authentication process to obtain the Primary Refresh Token (PRT). This then contains the Device ID and is used to identify the device during each user login. More information What is a Primary Refresh Token?

Information about the certificate can also be found using the command dsregcmd /status, which displays information about the device status in Azure AD. If the device is joined to Azure AD, we have a Device Details section where we can see the certificate Thumbprint and other details.

+----------------------------------------------------------------------+
| Device Details                                                       |
+----------------------------------------------------------------------+
                  DeviceId : 70a8d986-5ef7-4b24-9cc6-xxxxxxxxxxxx
                Thumbprint : 163407A5886B2B23849D3E278590B34XXXXXXXXX
 DeviceCertificateValidity : [ 2022-09-20 10:39:44.000 UTC -- 2032-09-20 11:09:44.000 UTC ]
            KeyContainerId : 9aae1c87-d4db-4709-ab7b-2a213e170079
               KeyProvider : Microsoft Platform Crypto Provider
              TpmProtected : YES
          DeviceAuthStatus : SUCCESS

If the device is registered in Azure AD, we have a Work Account section.

+----------------------------------------------------------------------+
| Work Account 1                                                       |
+----------------------------------------------------------------------+
         WorkplaceDeviceId : fe98f6f1-5b50-4d10-9711-xxxxxxxxxxxx
       WorkplaceThumbprint : A8220A0A7DD4AB3EBDE1C5E7380DF85XXXXXXXXX
 DeviceCertificateValidity : [ 2021-07-26 13:16:17.000 UTC -- 2031-07-26 13:46:17.000 UTC ]
            KeyContainerId : 8f755753-6abd-47dc-8052-xxxxxxxxxxxx
               KeyProvider : Microsoft Software Key Storage Provider
              TpmProtected : NO
              WorkplaceIdp : login.windows.net
         WorkplaceTenantId : bb9528c8-3d14-4888-91fd-xxxxxxxxxxxx
       WorkplaceTenantName : Company Inc.
           WorkplaceMdmUrl :
      WorkplaceSettingsUrl :
                    NgcSet : NO

Device authentication process during user login

Windows devices

If we connect from Windows 10 (probably other versions too), using a supported (and configured) web browser Edge, Chrome or Firefox, to a company application, device authentication will happen automatically in the background. In the Sign-in log, we will see device identification for each user login. We may or may not work with it using Conditional Access Policy. Probably, the Primary Refresh Token (PRT), which contains device identification, is used for user authentication.

The important thing is that every login from Windows that is registered or joined to Azure AD contains device identification.

Devices with macOS, Android, and iOS

For a long time, I had the impression that device authentication doesn't work (doesn't happen) on macOS and Android. Until I quite accidentally discovered that special rules apply here. I verified this with many practical experiments on macOS and Android (and it should be the same for iOS). In the official documentation, I found only one mention (and I couldn't find any description of this behavior elsewhere) that partially relates to this. It's a description of Conditional Access Policy when we require the device to be Compliant - Require device to be marked as compliant.

On Windows 7, iOS, Android, macOS, and some third-party web browsers, Azure AD identifies the device by using a client
certificate that is provisioned when the device is registered with Azure AD. When a user first signs in through the browser,
the user is prompted to select the certificate. The user must select this certificate before they can continue to use
the browser.

Unlike Windows 10 and newer, which support PRT, device identification in the browser on iOS, Android and macOS happens directly using a certificate, which we must select/confirm during login. The crucial point, however, is that by default, Device Authentication does not occur at all from these devices.

If we set a Conditional Access Policy that requires a Compliant device, then during login, an event with status Interrupted is logged in the Sign-in log with the text:

This is not an error - this is an interrupt that triggers device authentication when required due to a Conditional Access 
policy or because the application or resource requested the device ID in a token. This code alone does not indicate a 
failure on your users part to sign in. The sign in logs may indicate that the device authentication challenge was passed 
succesfully or failed. 

Conditional Access Policy for activating device authentication

Device authentication (use of certificate) is required during the authentication process only if some property that needs device identification is required for access to the application. This means that we have set up a Conditional Access Policy that requires the device to be marked as Compliant or be Hybrid Azure AD Joined (maybe some other variant, but I only discovered these two).

Of course, macOS, Android, or iOS will never be Hybrid Azure AD Joined, so access will be denied (but the device identification will be seen in the log). If, when requiring Compliant, the device is not registered in Intune, it will proceed to the wizard for its registration (until then, we will not access the application).

Later, another option occurred to me. We can enable the Conditional Access Policy in Report-only mode. So then logging into the application will work, but it will require device identification if possible (when I didn't have a certificate issued on Android, the login proceeded without verification). When we enable this mode, the policy even displays the information:

Policies in Report-only mode requiring compliant devices may prompt users on macOS, iOS, Android, and Linux to select
a device certificate. Learn more

Device Authentication with macOS

macOS is a peculiar operating system, and we may encounter various issues. If we want to test (or directly use) Device Authentication, we create a Conditional Access Policy, see above. For example, for access to www.office.com, we require a Compliant device.

We register the computer in Azure AD and restart it. We use Safari, Edge, or Chrome to access this address and log in with an Azure AD account. Immediately after, a dialog pops up stating that the address device.login.microsoftonline.com requires client certificate authentication and offers a certificate from MS-Organization-Access. This is our required device authentication.

macOS Device Authentication - volba certifikátu

After confirmation, another dialog pops up stating that the browser wants to log in using the key Microsoft Workplace Join Key. We must enter the password for the keychain named login. When entering the password, we can choose Allow or Always Allow, which should add the application to exceptions, and subsequently, it should not be necessary to enter the password. I couldn't find any official information about the Microsoft Workplace Join Key, only various discussions about issues.

macOS Device Authentication - Microsoft Workplace Join Key

Here, during tests, I encountered problems (often the same ones mentioned by people in discussions). It should be the password of the logged-in user (If you need to update your keychain password on Mac), but it didn't work for me (in many attempts on multiple devices).

The advice is to open the Keychain Access application, where in Default Keychains - Login, we find the private key Microsoft Workplace Join Key. We set Access Control on it, either allowing access to all applications or adding our browser to exceptions Always allow access by these applications. On one test MacBook, access worked immediately after this, on another, it still asked for the password, but the user's password worked.

The image shows the default key settings. We can add, for example, the Safari browser.

macOS Keychain Access - Microsoft Workplace Join Key - Access Control

Device Authentication with Android

If we register an Android device in Azure AD using the Microsoft Authenticator app (which is often the case), a certificate is not issued. We must do this manually in the Microsoft Authenticator or Intune Company Portal app.

Issuing a certificate for the device in Microsoft Authenticator

  • Menu - Settings - Device Registration
  • click Enable browser access
  • confirm continuation with Continue
  • select the certificate type and can change the name (default microsoft workaccount)
  • confirm with OK
Android - Microsoft Authenticator - Enable browser access

Issuing a certificate for the device in Company Portal

  • Menu - Settings
  • in Enable browser access, click Enable
  • select the certificate type and can change the name (default microsoft workaccount)
  • confirm with OK

Verifying that the certificate is issued in the system (list of user certificates in the system, does not display details)

  • Xiaomi MIUI
    • Settings - Passwords & security - Privacy - Encryption & credentials - User credentials
  • classic Android
    • Settings - Security - Encryption & credentials - User credentials

Logging in with device authentication. On a registered Android device, we can use Chrome or Edge to access a company application (for which we have set a Conditional Access Policy). We log in with an Azure AD account and then must select/confirm the certificate for authentication at device.login.microsoftonline.com.

Android Device Authentication - volba certifikátu

Requiring Compliant and Device Not Registered in Intune

If we connect to a company application from any supported operating system, log in with an Azure AD account, and device authentication occurs (we may not see it, but we may, for example, select a certificate), a dialog may then appear:

Set up your device to get access

COMPANY requires you to secure this device before you can access COMPANY email, files, and data.
If you go to other apps or sites, they may recognize that you are signed in. You can enroll your device with COMPANY or sign out

If we click Continue, the Company Portal web page opens to register the device in Intune.

The reason is that for access to the application, we have created a Conditional Access Policy that requires the device to be Compliant.

Device Authentication - Conditional Access Policy vyžaduje Compliant
Author:

Related articles:

Azure AD / Entra ID identity and authentication

Articles related to user and device identity (not only) in Microsoft Entra ID. Different login and authentication options. Areas such as modern authentication, multi-factor authentication, password-less login, etc. Often involving the use of FIDO Authentication, for example using the FIDO2 security key or Windows Hello for Business.

Azure, Microsoft 365, Office 365, Cloud

Various popular topics regarding the public cloud. More focused on Microsoft services, i.e. IaaS, PaaS, SaaS Azure, Entra ID directory services (formerly Azure AD) and hosted Microsoft 365 / Office 365 services.

If you want write something about this article use comments.

Comments

There are no comments yet.

Add comment

Insert tag: strong em link

Help:
  • maximum length of comment is 2000 characters
  • HTML tags are not allowed (they will be removed), you can use only the special tags listed above the input field
  • new line (ENTER) ends paragraph and start new one
  • when you respond to a comment, put the original comment number in squar brackets at the beginning of the paragraph (line)