Intune, ADFS and Windows Phone 8.1 may cause issues

adfs02According to the Intune alerts you may run into issues when using Windows Phone 8.1, Microsoft Intune together with ADFS for device registration and authentication on your own Active Directory domain instead of directly in Azure Active Directory. Let’s have a look.

If you use  ADFS for on-premises device registration you may have configured a setting called DeviceAuthenticationEnabled to be enabled in the ADFS global authentication policy. Because of this setting users with a Windows Phone cannot authenticate while accessing the Company Portal. Users will be redirected to the Sign In button on the Windows Phone every time you supply your UPN. The redirection to the AD FS logon screen will not happen.

There are currently two workarounds to give access to your users with a Windows Phone device;

Workaround one:

Redirect them to http://portal.manage.microsoft.com instead of the company portal is your company needs the device to be registered via ADFS.

Workaround two:

Disable the DeviceAuthenticationEnabled option. THis can be done by following the next steps;

  1. Start the AD FS Management console
  2. Go to AD FS > Authentication Policies
  3. Click Edit Global Primary Authentiaction in the Authentication Policy pane
  4. Disable the option Enable Device Reigstration
Disable the option
Disable the option Enable device registration

After disabling this option the users will get access to the Company Portal again.

When using a Insiders Build of Windows 10 Mobile you will be able to access the company portal with and without the setting enabled.

When using Azure Active Directory Connect with device registration in Azure AD enabled and device write back configured registered devices will be synchronized to your Active Directory on premisse.

Comments

Total
0
Shares
10 comments
  1. It’s not only the Company Portal with the problem. It’s all APPs that have been changed to use ADAL. (Azure AD Authentication Library).

    1. where do i get such informations proactively?
      right now i am in the middle of a POC with users cannot access the company portal.

  2. You do not have Device registration in ADFS 2.0, so it must be another problem.
    By the way, I created a support case with MS about this problem described in this blog, and the answer is that it would not be fix in Windows Phone 8.1, but in Windows Mobile 10 instead.

    1. thanks dennis this is an interesting and highly appreciated input (so i am saver with ADFS 2 for WP8.1 device registration right?)
      i found another problem with missing or incorrect names for ems/o365. for example the msoid.DOMAIN cname was missing completely and enterpriseenrollemt.DOMAIN was ponting to manage.microsoft.com but not enterpriseenrollment.manage.microsoft.com, which is documented “still” wrong in different locations (https://technet.microsoft.com/en-us/library/jj943763.aspx https://technet.microsoft.com/en-us/library/dn764959.aspx)
      another strange fact, my users are licensed at m.manage.microsoft.com but not on p.manage.microsoft.com?

Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

New Microsoft Intune features coming next week

Next Post

Enhanced OSD support in Parallels Mac Management 4.0 for ConfigMgr 2012

Related Posts
Total
0
Share