Nov 08 2019
- last edited on
May 24 2021
Hi, I am implementing Windows Hello for Business in my environment using Hybrid-AD joined with certificate trust.
In this flow diagram https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-how-i..., it mentioned that device object is written by Azure DRS. Does that means that I do not need to configure synchronisation rules in Azure AD Connect to synchronise computer objects from on-prem AD to Azure AD?
Nov 08 2019 11:44 PM
It depends on your scenario, and if you're on a "Federated" scenario you need to use Azure DRS to get the benefit of conditional access policies and integration across Office, Intune and other Microsoft cloud services.
Azure DRS is used to register the devices and publish the necessary device certificates to clients. Once it occurs you've got the capabilities of Azure AD Conditional Access policies.
If you're working with the "Managed Domains" scenario you don't need the Azure DRS because you need to use the process of SCP within AAAD Connect.
Nov 09 2019 12:35 AM
Nov 09 2019 07:43 AM
The sync rules are part of the filtering options and created by defaults, and it's recommended not to change these rules.
For your questions, it's based on Azure DRS and ADFS, and to make a long story short, some explanation: the registration with Azure AD is the same as with ADFS, but the client is reporting to on-premises instead with the DRS in Azure AD. When a device receives an answer from the DRS in ADFS then the device will get a user certificate and the computer object of that specific device will be updated with the ID of this user certificate. After that, the computer object will be sync with Azure AD.