search

Azure-Samples / TestDeviceRegConnectivity

MIT License
27 stars 12 forks source link

Should the script verify login.microsoftonline.com under System context? #1

Closed Rodrigo30Horas closed 2 years ago

Rodrigo30Horas commented 3 years ago

This issue is for a: (mark with an x)

- [    ] bug report -> please search issues before submitting
- [    ] feature request
- [ x ] documentation issue or request
- [   ] regression (a behavior that used to work and stopped in a new release)

Minimal steps to reproduce

Actually, the question here is whether the script should or should not test login.microsoftonline.com under system context.

This question arouse when considering customer's implementation of Tenant Restrictions. Tenant Restrictions would need customer to intercept and inject HTTP headers on login.microsoftonline.com, login.microsoft.com and login.windows.net.

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/tenant-restrictions#urls-and-ip-addresses

So, it is expected that those URLs are going through Proxy in that case, but the same document only calls attention around device.login.microsoftonline.com which should not be intercepted by any means.

So my question is: Considering that Hybrid Join requires a licensed user, and a synced machine object to work, and considering the specialization of URLs, should we test login.microsoftonline.com under system context? Would any OS "join process" invoke this one to finish the join or, instead, only user account - which can authenticate through proxy - should have access to the URL?

IF login.microsoftonline.com is required at system context, so the features hybrid join and tenant restrictions are quite incompatible and I would dare say they should be ruled as not supported together.

I know I can use WinHTTP to configure proxy to the stations, but it would simply exhaust any proxy architecture for 99% of customers that were not considering to have all data generated on system context to flow through proxy boxes... There is no WPAD in WinHTTP to choose when system context should call the proxy or not.

TL;DR: Is login.microsoftonline.com REALLY used in system context for HAADJ?

Any log messages given by the failure

N/A

Expected/desired behavior

Know whether login.microsoftonline.com is required at system context. If so, it will break the ability to adopt Tenant restrictions feature.

OS and Version?

N/A

Versions

N/A

Mention any other details that might be useful

N/A

Thanks! We'll be in touch soon.

mzmaili commented 2 years ago

Yes, login.microsoftonline.com is required under system context.