According to the Intune alerts you may run into issues when using Windows Phone 8.1, Microsoft Intune together with ADFS for device registration and authentication on your own Active Directory domain instead of directly in Azure Active Directory. Let’s have a look.
If you use ADFS for on-premises device registration you may have configured a setting called DeviceAuthenticationEnabled to be enabled in the ADFS global authentication policy. Because of this setting users with a Windows Phone cannot authenticate while accessing the Company Portal. Users will be redirected to the Sign In button on the Windows Phone every time you supply your UPN. The redirection to the AD FS logon screen will not happen.
There are currently two workarounds to give access to your users with a Windows Phone device;
Workaround one:
Redirect them to http://portal.manage.microsoft.com instead of the company portal is your company needs the device to be registered via ADFS.
Workaround two:
Disable the DeviceAuthenticationEnabled option. THis can be done by following the next steps;
- Start the AD FS Management console
- Go to AD FS > Authentication Policies
- Click Edit Global Primary Authentiaction in the Authentication Policy pane
- Disable the option Enable Device Reigstration
After disabling this option the users will get access to the Company Portal again.
When using a Insiders Build of Windows 10 Mobile you will be able to access the company portal with and without the setting enabled.
When using Azure Active Directory Connect with device registration in Azure AD enabled and device write back configured registered devices will be synchronized to your Active Directory on premisse.
It’s not only the Company Portal with the problem. It’s all APPs that have been changed to use ADAL. (Azure AD Authentication Library).
Thanks for the addition Dennis!
Thanks for the addition Dennis!
where do i get such informations proactively?
right now i am in the middle of a POC with users cannot access the company portal.
from the Intune management portal, otherwise blogs like this
how todo that in adfs 2.0? i dont see global auth policy 🙁
not sure, maybe someone else knows?
You do not have Device registration in ADFS 2.0, so it must be another problem.
By the way, I created a support case with MS about this problem described in this blog, and the answer is that it would not be fix in Windows Phone 8.1, but in Windows Mobile 10 instead.
thanks dennis this is an interesting and highly appreciated input (so i am saver with ADFS 2 for WP8.1 device registration right?)
i found another problem with missing or incorrect names for ems/o365. for example the msoid.DOMAIN cname was missing completely and enterpriseenrollemt.DOMAIN was ponting to manage.microsoft.com but not enterpriseenrollment.manage.microsoft.com, which is documented “still” wrong in different locations (https://technet.microsoft.com/en-us/library/jj943763.aspx https://technet.microsoft.com/en-us/library/dn764959.aspx)
another strange fact, my users are licensed at m.manage.microsoft.com but not on p.manage.microsoft.com?
You would need to point your domain to manage.microsoft.com.