Skip to content

KB005: Configure Azure AD Domain Policies

Last Updated: June 21, 2025

Applies To: HySecure Gateway 7.1 and above

Category: Endpoint Security & Compliance

Overview

This guide explains how to configure Azure Active Directory domain support in Host Scan Policies. This feature extends endpoint security validation to include Azure AD domain-joined devices, enabling administrators to enforce login policies based on Azure AD domain membership for hybrid identity environments.

Prerequisites

  • HySecure Gateway 7.1 or higher.
  • Security Officer or Administrator access to the HySecure Management Console.
  • The Azure Active Directory environment is configured.
  • Understanding of Azure AD tenant information.

Procedure

Step 1: Create Domain-Based Host Scan Policy

  1. Access Management Console

    • Log in to the HySecure Management Console as a Security Officer or Administrator.

  2. Navigate to Host Scan Policies

    • Go to Policies > Endpoint Security Policies > Host Scan Policies.

    • Click Add.

  3. Configure Basic Policy Settings

    • Enter the appropriate Policy Name.

    • Provide Description.

    • Select Policy Type as Domain.

Step 2: Create Domain Sub-Policy

  1. Add Domain Policy

    • Click Add Domain Policy to create a sub-policy.

  2. Configure Sub-Policy Details

    • Enter Policy Name for the sub-policy.

    • Select Sub-Policy Type:

      • Allow: Permit access for devices joined to specified domains.

      • Block: Restrict access for devices joined to specified domains.

Step 3: Add Domain Configuration

  1. Add Domain Entry

    • Click the Add button to add a domain to the sub-policy.

  2. Configure Domain Details

    • Enter Domain Name (e.g., contoso.com).

    • Enter the Security Identifier (SID) for the domain.

  3. Additional Configuration for Azure AD Domain

    • Select the checkbox Is the domain an Azure AD domain?

    • Enter the Tenant ID for the Azure AD domain.

  1. Navigate to Device Profiles

    • Go to Policies > Endpoint Security Policies > Device Profiles.

    • Create a new device profile or edit an existing one.

  2. Link Host Scan Policy

    • Select the created Domain Host Scan Policy.

    • Associate with the device profile for Endpoint Security validation.

Azure AD Configuration Requirements

Required Information

Domain Name:

  • Primary domain name registered in Azure AD.
  • Can be a custom domain (contoso.com) or an onmicrosoft.com domain.

Security Identifier (SID):

  • Unique identifier for the Azure AD domain.
  • Required for enhanced security validation.

Tenant ID:

  • Azure AD tenant identifier (GUID format).

Finding Azure AD Information

Tenant ID Location:

  1. Access the Azure portal (portal.azure.com).

  2. Navigate to Azure Active Directory.

  3. Go to Properties.

  4. Copy the Tenant ID value.

Domain SID Information:

  • Contact the Azure AD administrator.
  • Use PowerShell cmdlets to retrieve SID information.
  • Refer to the Azure AD documentation for SID discovery methods.

Verification and Testing

Test Domain-Joined Devices

  1. Azure AD Joined Device Testing

    • Test with the device joined to the specified Azure AD domain

    • Verify policy allows/blocks access as configured

    • Check endpoint security logs for policy enforcement

  2. Non-Domain Device Testing

    • Test with personal or non-domain devices

    • Confirm policy blocks access (if configured)

    • Verify that appropriate error messages display

Log Review

Log Information:

  • Domain join status verification results
  • SID validation outcomes
  • Tenant ID matching results
  • Policy enforcement decisions

Domain Join Requirements

Azure AD Join Types:

  • Azure AD Joined: The Device is joined directly to Azure AD.
  • Hybrid Azure AD Joined: Device joined to both on-premises AD and Azure AD.
  • Azure AD Registered: Device registered with Azure AD but not domain-joined.

Policy Considerations:

  • Configure policies based on the organization's device join strategy.
  • Consider different join types in policy design.
  • Test with various device configurations.

Security Enhancements

SID Validation:

  • Prevents domain name spoofing.
  • Validates true domain membership.
  • Enhanced security over name-only validation.

Tenant ID Verification:

  • Ensures the device belongs to the correct Azure AD tenant.
  • Prevents cross-tenant access issues.
  • Additional validation layer for multi-tenant environments.

Troubleshooting

Policy Not Enforcing:

  • Confirm SID and Tenant ID are correct.
  • Verify device profile assignment to users/groups (applicable when specific device profiles are assigned to users).

Azure AD Information Errors:

  • Validate Tenant ID format (GUID).
  • Check the Azure AD domain configuration.

Device Not Recognized as Domain-Joined:

  • Confirm the device’s Azure AD join status.