Skip to content

KB005: Configure Azure AD Domain Policies

Article ID: KB005

Last Updated: June 21, 2025

Applies To: HySecure Gateway 7.1 and above

Category: Endpoint Security & Compliance

Overview

This guide explains how to configure Azure Active Directory domain support in Host Scan Policies. This feature extends endpoint security validation to include Azure AD domain-joined devices, enabling administrators to enforce login policies based on Azure AD domain membership for hybrid identity environments.

Prerequisites

  • HySecure Gateway 7.1 or higher
  • Security Officer or Administrator access to the HySecure Management Console
  • The Azure Active Directory environment is configured
  • Understanding of Azure AD tenant information

Benefits

  • Hybrid Identity Support: Works with both local AD and Azure AD environments.
  • Enhanced Device Control: Verify device domain membership at the security identifier level.
  • Improved Security Posture: Prevent non-domain devices from accessing resources.
  • Flexible Policy Options: Allow or block based on specific domain criteria.

Procedure

Step 1: Create Domain-Based Host Scan Policy

  1. Access Management Console

    • Log in to the HySecure Management Console as a Security Officer or Administrator.

  2. Navigate to Host Scan Policies

    • Go to Policies > Endpoint Security Policies > Host Scan Policies.

    • Click Add.

  3. Configure Basic Policy Settings

    • Enter the appropriate Policy Name.

    • Provide Description.

    • Select Policy Type as Domain.

Step 2: Create Domain Sub-Policy

  1. Add Domain Policy

    • Click Add Domain Policy to create a sub-policy.

  2. Configure Sub-Policy Details

    • Enter Policy Name for the sub-policy.

    • Select Sub-Policy Type:

      • Allow: Permit access for devices joined to specified domains.

      • Block: Restrict access for devices joined to specified domains.

Step 3: Add Domain Configuration

  1. Add Domain Entry

    • Click the Add button to add a domain to the sub-policy.

  2. Configure Domain Details

    • Enter Domain Name (e.g., contoso.com).

    • Enter the Security Identifier (SID) for the domain.

  3. Additional Configuration for Azure AD Domain

    • Select the checkbox Is the domain an Azure AD domain?.

    • Enter the Tenant ID for the Azure AD domain.

  1. Navigate to Device Profiles

    • Go to Policies > Endpoint Security Policies > Device Profiles.

    • Create a new device profile or edit an existing one.

  2. Link Host Scan Policy

    • Select the created Domain Host Scan Policy.

    • Associate with the device profile for Endpoint Security validation.

Azure AD Configuration Requirements

Required Information

Domain Name:

  • Primary domain name registered in Azure AD.
  • Can be a custom domain (contoso.com) or an onmicrosoft.com domain.

Security Identifier (SID):

  • Unique identifier for the Azure AD domain.
  • Required for enhanced security validation.

Tenant ID:

  • Azure AD tenant identifier (GUID format).

Finding Azure AD Information

Tenant ID Location:

  1. Access the Azure portal (portal.azure.com).

  2. Navigate to Azure Active Directory.

  3. Go to Properties.

  4. Copy the Tenant ID value.

Domain SID Information:

  • Contact the Azure AD administrator.
  • Use PowerShell cmdlets to retrieve SID information.
  • Refer to the Azure AD documentation for SID discovery methods.

Policy Examples

Example 1: Allow Only Corporate Azure AD Domain

Policy Type: Domain

Sub-Policy Type: Allow

Domain Name: contoso.com

Azure AD Domain: Yes

Tenant ID: 12345678-1234-1234-1234-123456789012

Example 2: Block Personal Microsoft Accounts

Policy Type: Domain

Sub-Policy Type: Block

Domain Name: Personal Microsoft Account domains

Azure AD Domain: No

Use Case: Prevent personal account access

Example 3: Hybrid Environment Policy

Multiple Domain Entries:

  • Corporate on-premises AD domain (Azure AD Domain: No)
  • Corporate Azure AD domain (Azure AD Domain: Yes)
  • Both allowed for a hybrid environment support

Verification and Testing

Test Domain-Joined Devices

  1. Azure AD Joined Device Testing

    • Test with the device joined to the specified Azure AD domain

    • Verify policy allows/blocks access as configured

    • Check endpoint security logs for policy enforcement

  2. Non-Domain Device Testing

    • Test with personal or non-domain devices

    • Confirm policy blocks access (if configured)

    • Verify that appropriate error messages display

Log Review

Log Information:

  • Domain join status verification results
  • SID validation outcomes
  • Tenant ID matching results
  • Policy enforcement decisions

Important Notes

Domain Join Requirements

Azure AD Join Types:

  • Azure AD Joined: The Device is joined directly to Azure AD.
  • Hybrid Azure AD Joined: Device joined to both on-premises AD and Azure AD.
  • Azure AD Registered: Device registered with Azure AD but not domain-joined.

Policy Considerations:

  • Configure policies based on the organization's device join strategy.
  • Consider different join types in policy design.
  • Test with various device configurations.

Security Enhancements

SID Validation:

  • Prevents domain name spoofing.
  • Validates true domain membership.
  • Enhanced security over name-only validation.

Tenant ID Verification:

  • Ensures the device belongs to the correct Azure AD tenant.
  • Prevents cross-tenant access issues.
  • Additional validation layer for multi-tenant environments.

Troubleshooting

Policy Not Enforcing:

  • Confirm SID and Tenant ID are correct.
  • Verify device profile assignment to users/groups (applicable when specific device profiles are assigned to users).

Azure AD Information Errors:

  • Validate Tenant ID format (GUID).
  • Check the Azure AD domain configuration.

Device Not Recognized as Domain-Joined:

  • Confirm the device’s Azure AD join status.