You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/devices/hybrid-azuread-join-plan.md
+8-8Lines changed: 8 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -111,14 +111,14 @@ These scenarios don't require you to configure a federation server for authentic
111
111
A federated environment should have an identity provider that supports the following requirements. If you have a federated environment using Active Directory Federation Services (AD FS), then the above requirements are already supported.
112
112
113
113
-**WIAORMULTIAUTHN claim:** This claim is required to do hybrid Azure AD join for Windows down-level devices.
114
-
-**WS-Trust protocol:** This protocol is required to authenticate Windows current hybrid Azure AD joined devices with Azure AD.
115
-
When you're using AD FS, you need to enable the following WS-Trust endpoints
116
-
-/adfs/services/trust/2005/windowstransport
117
-
-/adfs/services/trust/13/windowstransport
118
-
-/adfs/services/trust/2005/usernamemixed
119
-
-/adfs/services/trust/13/usernamemixed
120
-
-/adfs/services/trust/2005/certificatemixed
121
-
-/adfs/services/trust/13/certificatemixed
114
+
-**WS-Trust protocol:** This protocol is required to authenticate Windows current hybrid Azure AD joined devices with Azure AD.
115
+
When you're using AD FS, you need to enable the following WS-Trust endpoints:
116
+
`/adfs/services/trust/2005/windowstransport`
117
+
`/adfs/services/trust/13/windowstransport`
118
+
`/adfs/services/trust/2005/usernamemixed`
119
+
`/adfs/services/trust/13/usernamemixed`
120
+
`/adfs/services/trust/2005/certificatemixed`
121
+
`/adfs/services/trust/13/certificatemixed`
122
122
123
123
> [!WARNING]
124
124
> Both **adfs/services/trust/2005/windowstransport** or **adfs/services/trust/13/windowstransport** should be enabled as intranet facing endpoints only and must NOT be exposed as extranet facing endpoints through the Web Application Proxy. To learn more on how to disable WS-Trust WIndows endpoints, see [Disable WS-Trust Windows endpoints on the proxy](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs#disable-ws-trust-windows-endpoints-on-the-proxy-ie-from-extranet). You can see what endpoints are enabled through the AD FS management console under **Service** > **Endpoints**.
0 commit comments