{"id":204,"date":"2023-05-17T11:27:46","date_gmt":"2023-05-17T03:27:46","guid":{"rendered":"https:\/\/www.ruianding.com\/blog\/?p=204"},"modified":"2023-11-01T09:21:51","modified_gmt":"2023-11-01T01:21:51","slug":"configure-ca-policy-to-restrict-user-register-device-to-azure-ad","status":"publish","type":"post","link":"https:\/\/www.ruianding.com\/blog\/configure-ca-policy-to-restrict-user-register-device-to-azure-ad\/","title":{"rendered":"Configure CA Policy to Restrict User Register Device to Azure AD"},"content":{"rendered":"\n

Overview<\/h2>\n\n\n\n

On some occasions, the company prefers users to avoid registering their personal devices to Azure AD. This is because when users sign into Microsoft 1st party apps or perform MFA using their authenticator app, there is a possibility that their personal devices may be automatically registered to AAD. Microsoft potentially provides options for users to register their devices, as shown in the following picture. Selecting “No, sign into this app only” is the only way to prevent users from further registering their devices to AAD.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Although, the above 1st party app sign-in behavior enables end-users to achieve Single Sign-On (SSO) during login. For enterprises, the increasing number of personal devices can pose management challenges. Additionally, if the company has implemented a device-based CA policy to restrict customer logins, these personal devices are likely to bypass the policy.<\/p>\n\n\n\n

Since Azure AD does not have native functionality to strictly block user device registration, this post will focus on a workaround that leverages the new feature, Authentication Strengths<\/strong>, on Microsoft CAP. This workaround can indirectly fulfill the discussed requirements.<\/p>\n\n\n\n

Overview of Azure Active Directory authentication strength – Microsoft Entra | Microsoft Learn<\/a><\/p>\n\n\n\n

\n\n\n\n

1. Configure the CA policy set<\/h2>\n\n\n\n

1.1 Configure the Authentication Strengths<\/h4>\n\n\n\n

Open our Azure Active Directory, click Security<\/strong> blade > Conditional Access<\/strong> > Authentication strengths<\/strong><\/p>\n\n\n\n

Click New authentication strength<\/strong> in order to customize our own combination of authentication methods.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

We will get a new tab pop up on the right-hand side, let’s click Temporary Access Pass (One-time use)<\/strong>. n the deep dive section, we will delve further into the reasons behind our choice of Temporary Access Pass<\/strong> as our authentication strength.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

1.2 Configure the CA Policy<\/h4>\n\n\n\n

After our customized Authentication Strengths configured, let’s create our CA policy.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Configure “Cloud apps or actions” and select “user actions”. Then choose “Register or join devices.”<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

In the condition > locations section, select “Any location<\/strong>” and then exclude<\/strong> the company network segment (or the trusted named locations).<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Lastly, in the Grant<\/strong>, we will select Require authentication strength<\/strong>, and select the customized method we configured on section 1.1<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\n\n\n\n

2. Deep Dive<\/h2>\n\n\n\n

2.1 Limitations of “Register or join devices”<\/h4>\n\n\n\n

As you may have noticed, our approach is to require MFA for registering or joining devices rather than blocking access altogether. For further information on this topic, please refer to the following documentation:<\/p>\n\n\n\n

Cloud apps, actions, and authentication context in Conditional Access policy – Microsoft Entra | Microsoft Learn<\/a><\/p>\n\n\n\n

“Authentication strengths” can be considered as an additional layer of MFA. This feature empowers us to select MFA operations that users are unable to independently complete, thereby providing greater control over device registration.<\/p>\n\n\n\n

2.2 Why we use TAP as our Authentication strengths<\/h4>\n\n\n\n

My previous post briefly introduced what TAP is and its purpose:<\/p>\n\n\n\n

Enable Web Sign-in with Temporary Access Pass \u2013 Ruian’s Tech Troubleshooting Toolbox (ruianding.com)<\/a> <\/p>\n\n\n\n

The reason we chose TAP here is because only tenant administrators can create TAPs for users to use. Additionally, in emergency situations where users are not physically present in the company premises but require urgent device registration, TAP can be used to fulfill this need.<\/p>\n\n\n\n

If the administrator neglects to create the TAP (Temporary Access Pass) for a user who is registering a device outside the company, the user will encounter the following message when attempting to register the device to Azure AD:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n","protected":false},"excerpt":{"rendered":"

Overview On some occasions, the company prefers users to avoid registering their personal devices to Azure AD. This is because when users sign into Microsoft 1st party apps or perform MFA using their authenticator app, there is a possibility that their personal devices may be automatically registered to AAD. Microsoft potentially provides options for users […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_themeisle_gutenberg_block_has_review":false,"footnotes":""},"categories":[33,10],"tags":[22,6],"class_list":["post-204","post","type-post","status-publish","format-standard","hentry","category-ca","category-tutorial","tag-cap","tag-drs"],"yoast_head":"\nConfigure CA Policy to Restrict User Register Device to Azure AD - \u6781\u7b80IT\uff5cSimpleIT<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.ruianding.com\/blog\/configure-ca-policy-to-restrict-user-register-device-to-azure-ad\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Configure CA Policy to Restrict User Register Device to Azure AD - \u6781\u7b80IT\uff5cSimpleIT\" \/>\n<meta property=\"og:description\" content=\"Overview On some occasions, the company prefers users to avoid registering their personal devices to Azure AD. This is because when users sign into Microsoft 1st party apps or perform MFA using their authenticator app, there is a possibility that their personal devices may be automatically registered to AAD. Microsoft potentially provides options for users […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.ruianding.com\/blog\/configure-ca-policy-to-restrict-user-register-device-to-azure-ad\/\" \/>\n<meta property=\"og:site_name\" content=\"\u6781\u7b80IT\uff5cSimpleIT\" \/>\n<meta property=\"article:published_time\" content=\"2023-05-17T03:27:46+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-11-01T01:21:51+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/image-50.png\" \/>\n<meta name=\"author\" content=\"Ruian Ding\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Ruian Ding\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/configure-ca-policy-to-restrict-user-register-device-to-azure-ad\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/configure-ca-policy-to-restrict-user-register-device-to-azure-ad\/\"},\"author\":{\"name\":\"Ruian Ding\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b\"},\"headline\":\"Configure CA Policy to Restrict User Register Device to Azure AD\",\"datePublished\":\"2023-05-17T03:27:46+00:00\",\"dateModified\":\"2023-11-01T01:21:51+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/configure-ca-policy-to-restrict-user-register-device-to-azure-ad\/\"},\"wordCount\":556,\"publisher\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b\"},\"image\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/configure-ca-policy-to-restrict-user-register-device-to-azure-ad\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/image-50.png\",\"keywords\":[\"CAP\",\"DRS\"],\"articleSection\":[\"CA\",\"Tutorial\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/configure-ca-policy-to-restrict-user-register-device-to-azure-ad\/\",\"url\":\"https:\/\/www.ruianding.com\/blog\/configure-ca-policy-to-restrict-user-register-device-to-azure-ad\/\",\"name\":\"Configure CA Policy to Restrict User Register Device to Azure AD - \u6781\u7b80IT\uff5cSimpleIT\",\"isPartOf\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/configure-ca-policy-to-restrict-user-register-device-to-azure-ad\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/configure-ca-policy-to-restrict-user-register-device-to-azure-ad\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/image-50.png\",\"datePublished\":\"2023-05-17T03:27:46+00:00\",\"dateModified\":\"2023-11-01T01:21:51+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/configure-ca-policy-to-restrict-user-register-device-to-azure-ad\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.ruianding.com\/blog\/configure-ca-policy-to-restrict-user-register-device-to-azure-ad\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/configure-ca-policy-to-restrict-user-register-device-to-azure-ad\/#primaryimage\",\"url\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/image-50.png\",\"contentUrl\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/image-50.png\",\"width\":538,\"height\":524},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/configure-ca-policy-to-restrict-user-register-device-to-azure-ad\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.ruianding.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Configure CA Policy to Restrict User Register Device to Azure AD\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/#website\",\"url\":\"https:\/\/www.ruianding.com\/blog\/\",\"name\":\"Ruian's Tech Troubleshooting Toolbox\",\"description\":\"Debug the World.\",\"publisher\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b\"},\"alternateName\":\"\u4e01\u777f\u5b89\u7684\u6280\u672f\u5206\u4eab\u535a\u5ba2\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.ruianding.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b\",\"name\":\"Ruian Ding\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/logo.png\",\"contentUrl\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/logo.png\",\"width\":284,\"height\":284,\"caption\":\"Ruian Ding\"},\"logo\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/image\/\"},\"description\":\"I am currently a Support Specialist at NIO, focusing on cloud-related issues for NIO Power. Previously, at Microsoft Entra ID, I specialized in identity and access management (IAM), including device registration, Windows Hello for Business (WHfB), multi-factor authentication (MFA), and single sign-on (SSO). In addition to my core expertise, I have a strong foundation in Active Directory, Servers, Cloud Computing, Network Administration, and Front-end Web Development. This diverse technical skill set enables me to effectively handle a wide range of challenges in a fast-paced IT environment.\",\"sameAs\":[\"https:\/\/www.ruianding.com\"],\"url\":\"https:\/\/www.ruianding.com\/blog\/author\/ruiand\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Configure CA Policy to Restrict User Register Device to Azure AD - \u6781\u7b80IT\uff5cSimpleIT","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.ruianding.com\/blog\/configure-ca-policy-to-restrict-user-register-device-to-azure-ad\/","og_locale":"en_US","og_type":"article","og_title":"Configure CA Policy to Restrict User Register Device to Azure AD - \u6781\u7b80IT\uff5cSimpleIT","og_description":"Overview On some occasions, the company prefers users to avoid registering their personal devices to Azure AD. This is because when users sign into Microsoft 1st party apps or perform MFA using their authenticator app, there is a possibility that their personal devices may be automatically registered to AAD. Microsoft potentially provides options for users […]","og_url":"https:\/\/www.ruianding.com\/blog\/configure-ca-policy-to-restrict-user-register-device-to-azure-ad\/","og_site_name":"\u6781\u7b80IT\uff5cSimpleIT","article_published_time":"2023-05-17T03:27:46+00:00","article_modified_time":"2023-11-01T01:21:51+00:00","og_image":[{"url":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/image-50.png","type":"","width":"","height":""}],"author":"Ruian Ding","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Ruian Ding","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.ruianding.com\/blog\/configure-ca-policy-to-restrict-user-register-device-to-azure-ad\/#article","isPartOf":{"@id":"https:\/\/www.ruianding.com\/blog\/configure-ca-policy-to-restrict-user-register-device-to-azure-ad\/"},"author":{"name":"Ruian Ding","@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b"},"headline":"Configure CA Policy to Restrict User Register Device to Azure AD","datePublished":"2023-05-17T03:27:46+00:00","dateModified":"2023-11-01T01:21:51+00:00","mainEntityOfPage":{"@id":"https:\/\/www.ruianding.com\/blog\/configure-ca-policy-to-restrict-user-register-device-to-azure-ad\/"},"wordCount":556,"publisher":{"@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b"},"image":{"@id":"https:\/\/www.ruianding.com\/blog\/configure-ca-policy-to-restrict-user-register-device-to-azure-ad\/#primaryimage"},"thumbnailUrl":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/image-50.png","keywords":["CAP","DRS"],"articleSection":["CA","Tutorial"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.ruianding.com\/blog\/configure-ca-policy-to-restrict-user-register-device-to-azure-ad\/","url":"https:\/\/www.ruianding.com\/blog\/configure-ca-policy-to-restrict-user-register-device-to-azure-ad\/","name":"Configure CA Policy to Restrict User Register Device to Azure AD - \u6781\u7b80IT\uff5cSimpleIT","isPartOf":{"@id":"https:\/\/www.ruianding.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.ruianding.com\/blog\/configure-ca-policy-to-restrict-user-register-device-to-azure-ad\/#primaryimage"},"image":{"@id":"https:\/\/www.ruianding.com\/blog\/configure-ca-policy-to-restrict-user-register-device-to-azure-ad\/#primaryimage"},"thumbnailUrl":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/image-50.png","datePublished":"2023-05-17T03:27:46+00:00","dateModified":"2023-11-01T01:21:51+00:00","breadcrumb":{"@id":"https:\/\/www.ruianding.com\/blog\/configure-ca-policy-to-restrict-user-register-device-to-azure-ad\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.ruianding.com\/blog\/configure-ca-policy-to-restrict-user-register-device-to-azure-ad\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.ruianding.com\/blog\/configure-ca-policy-to-restrict-user-register-device-to-azure-ad\/#primaryimage","url":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/image-50.png","contentUrl":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/image-50.png","width":538,"height":524},{"@type":"BreadcrumbList","@id":"https:\/\/www.ruianding.com\/blog\/configure-ca-policy-to-restrict-user-register-device-to-azure-ad\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.ruianding.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Configure CA Policy to Restrict User Register Device to Azure AD"}]},{"@type":"WebSite","@id":"https:\/\/www.ruianding.com\/blog\/#website","url":"https:\/\/www.ruianding.com\/blog\/","name":"Ruian's Tech Troubleshooting Toolbox","description":"Debug the World.","publisher":{"@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b"},"alternateName":"\u4e01\u777f\u5b89\u7684\u6280\u672f\u5206\u4eab\u535a\u5ba2","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.ruianding.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b","name":"Ruian Ding","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/logo.png","contentUrl":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/logo.png","width":284,"height":284,"caption":"Ruian Ding"},"logo":{"@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/image\/"},"description":"I am currently a Support Specialist at NIO, focusing on cloud-related issues for NIO Power. Previously, at Microsoft Entra ID, I specialized in identity and access management (IAM), including device registration, Windows Hello for Business (WHfB), multi-factor authentication (MFA), and single sign-on (SSO). In addition to my core expertise, I have a strong foundation in Active Directory, Servers, Cloud Computing, Network Administration, and Front-end Web Development. This diverse technical skill set enables me to effectively handle a wide range of challenges in a fast-paced IT environment.","sameAs":["https:\/\/www.ruianding.com"],"url":"https:\/\/www.ruianding.com\/blog\/author\/ruiand\/"}]}},"_links":{"self":[{"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/posts\/204","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/comments?post=204"}],"version-history":[{"count":5,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/posts\/204\/revisions"}],"predecessor-version":[{"id":1140,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/posts\/204\/revisions\/1140"}],"wp:attachment":[{"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/media?parent=204"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/categories?post=204"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/tags?post=204"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}