The application redirects to the AuthURL value (on-premises STS sign-in page) in the returned JSON realm object. The application determines the environment is federated. Azure AD returns the information in a JSON object. This information determines if the environment is managed or federated.
#Onsip double regisgration registration
With device registration complete, the process continues with MDM enrollment.Īzure AD joined in Federated environmentsĪfter the user provides their user name (in UPN format), the application sends a GET request to Azure AD to discover corresponding realm information for the user. The device ID is saved for future reference (viewable from dsregcmd.exe /status), and the device certificate is installed in the Personal store of the computer. Azure DRS then writes a device object in Azure AD and sends the device ID and the device certificate to the client.ĭevice registration completes by receiving the device ID and the device certificate from Azure DRS. Azure DRS validates the ID token, creates a device ID, and creates a certificate based on the included certificate request. The application sends a device registration request to Azure DRS that includes the ID token, certificate request, tkpub, and attestation data.
This key is the transport key (tkpub/tkpriv). Next, the application derives second key pair from the TPM's storage root key. The application creates a certificate request using dkpub and the public key and signs the certificate request with using dkpriv. The application creates TPM bound (preferred) RSA 2048 bit key-pair known as the device key (dkpub/dkpriv). Azure DRS returns a discovery data document, which returns tenant-specific URIs to complete device registration.
The application sends a device registration discovery request to the Azure Device Registration Service (ADRS). This step is optional and skipped if the claim isn't present or if the claim value is empty. If present, the application retrieves the terms of use from the claim's value, present the contents to the user, and waits for the user to accept the terms of use. The application looks for MDM terms of use (the mdm_tou_url claim). Azure AD returns an ID token with claims. The application POSTs the credentials to Azure AD where they're validated. The last step in this phase has the application create an authentication buffer and if in OOBE, temporarily caches it for automatic sign-in at the end of OOBE.
The application determines the environment is managed (non-federated). The application builds a sign-in request for the authorization end point and collects user credentials.Īfter the user provides their user name (in UPN format), the application sends a GET request to Azure AD to discover corresponding realm information for the user. Azure AD returns the OpenID configuration, which includes the authorization endpoints, to application as JSON document. The application sends a GET request to the Azure AD OpenID configuration endpoint to discover authorization endpoints. The most common way Azure AD joined devices register is during the out-of-box-experience (OOBE) where it loads the Azure AD join web application in the Cloud Experience Host (CXH) application. This article provides details of how Azure AD join and hybrid Azure Ad join work in managed and federated environments.For more information about how Azure AD authentication works on these devices, see the article Primary refresh tokens Azure AD joined in Managed environments Commonly, devices are Azure AD or hybrid Azure AD joined to complete device registration. Device Registration is a prerequisite to cloud-based authentication.