I know this is probably not the best place to ask this question. But, after days of working on this, and having posted in the Microsoft Forum, I'm at my wits end.
We are utilizing a hybrid ADFS 4.0 (Server 2016) / Azure AD / Office 365 setup with device registration and SSO working.
We are attempting to enable multi-factor authentication with device based access policies. We don't want "recognized" devices seeing additional MFA prompts. We are evaluating the claims being returned by ADFS using the Microsoft Claims Xray.
We have successfully enabled MFA and configured ADFS to only prompt for MFA if a device is unrecognized. This works because devices that are recognized have additional properties in active directory (isRegisteredUser; isManaged; isKnown; trustType; etc) and we can take action on those properties. We've tested with IE, Firefox, Chrome, and Safari on an iPad. However, the "DeviceContext" claims only come through when the authentication is done from IE or Safari on the iPad.
For some reason, it appears no device authentication occurs when the request is made from Chrome or Firefox. Authentication works, we just can't see any of the devicecontext claims that allow us to make a decision based on if the device is registered or not. So, these browsers get an additional MFA prompt.
I simply cannot find any posts online matching my exact problem. There are a few threads that are similar, but turn out to be different issues, or end up at a dead end. I'm hoping someone has this similar setup and knows why Chrome and Firefox would not perform the additional device based authentication, but safari on an iPad would. All the devices have valid certificates to perform the authentication.
I don't get any errors to go on in any event logs. The browser simply doesn't make a device authentication request, and no devicecontext claims are issued. It's possible this isn't supported, but I can't find any information indicating one way or another.
Device Context claims are necessary for ADFS / Azure AD to determine if a device is recognized, managed, compliant, etc. Without them, scenarios that rely on MFA and SSO are broken, if bypassing MFA relies on "recognizing" a known device. The device context claims are generated when device authentication is performed alongside user authentication in ADFS.
I found that in Windows 7, a Workplace Joined machine is per user based and receives a device authentication certificate that is stored in the "Current User" certificate store. During authentication, device authentication is successfully performed using the certificate even in Chrome.
In Windows 10, I found that Azure AD device registration is per machine, and the machine receives a device authentication certificate that is stored in the "Local Machine" certificate store. During authentication, IE and Edge successfully use this certificate to complete device authentication. Chrome will not touch any certificates in the "Local Machine" certificate store. If using Chrome the device is not recognized, MFA fails, and the user is prompted for a secondary form of authentication.
This appears to be a known issue with alternative browsers without a suitable answer. Without device authentication occurring, a device can not be recognized for the purposes of bypassing MFA with conditional access policies.
Microsoft has provided a plug-in for Google Chrome, that allows it to perform device authentication when using MFA. However, there are a couple caveats to be aware of:
Long story short, Windows 7 device authentication seems to work fine and recognized devices will support device based conditional access policies if you use Chrome. Windows 10 devices using Chrome have limited ability to support device based conditional access policies. Mobile devices receive a user based certificate when enrolled in to MDM, therefore they also seem to support bypassing MFA when the device is managed.
I believe the main problem here is that the developers of Chrome have deliberately prevented it from accessing the "Local Computer" certificate store for authentication purposes. This can be verified with Process Monitor, and from looking at available certificates in the certificate settings in Chrome.
I am sorry to say this, but Mozilla has continued their headstrong approach that causes their browser to be very difficult to utilize in enterprise, and the developers have made Firefox not able to access any Windows certificate stores. So, unless you deliberately import a certificate in to Firefox, device based conditional access doesn't work at all on any OS.