Previously, we’ve looked at the WorkPlace Join functionality in Active Directory Federation Services (AD FS) in Windows Server 2012 R2 (and up) and the accompanying Registered Device objects in Active Directory Domain Services (AD DS).

When WorkPlace Join is enabled for a networking environment, by default anyone has the right to WorkPlace Join devices, by default.

In Active Directory Domain Services, a special container is created for Registered Devices: the msDS-DeviceContainer. This is the default location where WorkPlace-Joined device have their registered device object (msDS-Device) stored.

On this container, Authenticated Users have read rights, just like they do in the greater part of the Active Directory. However, the Device Registration Service (DRS) service account in Active Directory Federation Services (AD FS) has an awful amount of rights on the container and actually creates the Registered Device object in Active Directory Domain Services.

Note:
By default, the service account for Device Registration Service (DRS) is the same as the service account for Active Directory Federation Services (AD FS).

Since Device Registration is a Relying Party Trust in Active Directory Federation Services (AD FS), the most logical way to look at granularly revoking access is to modify the Issuance Authorization Rules.

Perform these steps to gain access to the authorization rules for the Device Registration Service (DRS) in Active Directory Federation Services:

• Log on with an account that has Domain Administrator rights on a device that is capable of running the Windows Server 2012 R2 version of the AD FS Management Management Snap-in (Microsoft.IdentityServer.msc).
• In the left pane, open Relying Party Trusts.
• In the main pane, now select Device Registration Service and, then, in the (right) task pane click the Edit Claim Rules… shortcut. This will open the Edit Claim Rule for Device Registration Service window:

• Click on the second tab, labeled Issuance Authorization Rules.

• Here you’ll find the Permit Access to All Users rule.

Changing access to WorkPlace Join

Depending on your scenario, you might want to specifically permit or specifically deny users that are member of specific group(s):

Permitting WorkPlace Join only for a specific group

If you want to permit the use of the Device Registration Service (DRS) and thus the ability to WorkPlace Join devices to only colleagues that are members of a specific group or a couple of specific groups, create a new Issuance Authorization Rule:

• Click the Add Rule… button.
• The Add Issuance Authorization Claim Rule Wizard appears. Its first screen is the Select Rule Template screen.

• As the Claim rule template: select the default Permit or Deny Users Based on an Incoming Claim. Press Next >.
• In the Configure Rule screen, type a suitable name in the field below Claim rule name:. Then, as the Incoming claim type:, select Group SID from the drop-down list.

• Click Browse… to browse for a group or a set of groups that you want to explicitly permit.

• Press OK when done.
• Press Finish in the Add Issuance Authorization Claim Rule Wizard window to create the Issuance Authorization claim rule.In the Edit Claim Rules for Device Registration Service window, select the Permit Access to All Users rule. Click the Remote Rule… button.
• Click Yes to answer Are you sure you want to delete this claim rule?.

Note:
If you have no Issuance Authorization rules to Permit claims, no one will be able to use Device Registration Service (DRS) and thus no one will be able to WorkPlace Join devices.

• Click OK to close the Edit Claim Rules for Device Registration Service window.

Denying WorkPlace Join for a specific group

The other method is to deny a specific group of colleagues the use of the Device Registration Service (DRS) and thus the ability to WorkPlace Join devices. While this sounds harsh, there might actually be good reasons to deny this right to specific groups, like the Protected Users group.

Note:
Membership to the Protected Users group protects a lot of older insecure access protocols, but it does not deny WorkPlace Join, by default.

Let’s create a new Issuance Authorization Rule that denies this group that right:

• Click the Add Rule… button.
• The Add Issuance Authorization Claim Rule Wizard appears. Its first screen is the Select Rule Template screen.
• As the Claim rule template: select the default Permit or Deny Users Based on an Incoming Claim. Press Next >.
• In the Configure Rule screen, type a suitable name in the field below Claim rule name:. Then, as the Incoming claim type:, select Group SID from the drop-down list.
• Click Browse… to browse for a group or a set of groups that you want to explicitly deny.
• Press OK when done.
• Select Deny access to users with this incoming claim.

• Press Finish in the Add Issuance Authorization Claim Rule Wizard window to create the Issuance Authorization claim rule.
• In the Edit Claim Rules for Device Registration Service window, Select the Permit Access to All Users rule. Move this rule down in the order in which the Issuance Authorization Rules will be processed, by clicking the blue down arrow to the right of the list with rules.

Note:
It is a best practice to place rules with Deny issued claims above rules with Permit issued claims. Place the Permit Access to All Users as the last rule, when possible.

• Click OK to close the Edit Claim Rules for Device Registration Service window.

Concluding

Since the Device Registration Service (DRS) is a Relying Party Trust in Active Directory Federation Services (AD FS), the most logical way to look at granularly granting or revoking access to it is to modify the Issuance Authorization Rules.

Related blogposts

WorkPlace Join vs. Domain Join
New features in Active Directory Domain Services in Windows Server 2012 R2, Part 5: WorkPlace Join and Registered Device objects

Further reading

Set-AdfsRelyingPartyTrust
When to Use an Authorization Claim Rule
The Role of Claim Rules
The Role of the Claims Pipeline