Nimbostratushi,
for our non company devices we would like to check if they're azure ad joined before they're allowed to setup an sslvpn connection.
as far as i know there is a Registry key in a key with a random number under HKLM:/SYSTEM/CurrentControlSet/Control/CloudDomainJoin/JoinInfo so not easy to check unless i'm missing something.
Anyone have any ideas how to verify if a device is azure ad joined?
MVPYes this can be done using registry key.
EmployeeAlternatively you can use domain group policy to assign each company device a machine cert and use machine cert auth to authentication
NimbostratusHi kin,
yes but can't they just copy the machine cert to another device?
hi Mayur
but how can we do the registry key if we don't know the subfolder? For example in my case
HKLM:/SYSTEM/CurrentControlSet/Control/CloudDomainJoin/JoinInfo/5952C00980E77529710149770533FF14BD2A6824/UserEmail
As far as i know folder 5952C00980E77529710149770533FF14BD2A6824 is variable and changes for each user.
EmployeeThe APM machine cert auth can check for the presence of a valid cert and also the private key.
https://support.f5.com/csp/article/K12354
You can prob use a combination of restricting (domain policy again) users from opening certmgr.msc to export the cert and using a non exportable private key to address this. On exporting, the soln would leverage mostly on Windows security.