Questions
I want to use HENNGE Access Control and Microsoft Entra Join together. Are there any points to note regarding operation?
Answer
When using HENNGE Access Control and Microsoft Entra Join together, there are several points to note regarding authentication.
Please check the Action summary for details.
Notes
- The content of this article is based on the product information as of January 2025 and may change without notice thereafter.
Action summary
What is Microsoft Entra Join?
Microsoft Entra Join (formerly Azure AD Join) allows devices such as Windows 10/11 to join Microsoft Entra ID (formerly Azure Active Directory) directly.
Traditionally, Windows devices were joined to an Active Directory (AD) domain, but as the use of cloud services has increased, there are more cases of joining the cloud-based ID management system, Microsoft Entra ID.
Reference: What are Microsoft Entra joined devices?
What happens when Microsoft Entra Join is performed while federating with HENNGE Access Control in Microsoft 365?
The HENNGE Access Control authentication screen will not be displayed during Windows sign-in, but authentication will be through HENNGE Access Control.
During Windows sign-in, the user information (UPN and password) from HENNGE Access Control will be used.
* Additional settings are required in HENNGE Access Control during actual operation. For details, please refer to here.
If I change the password for HENNGE Access Control, will the password for Windows sign-in also change?
It will change.
However, Windows has a cached logon feature, and once you successfully sign in to Windows, it has been confirmed that you can still sign in with the old password even after changing the password in HENNGE Access Control.
(It has been verified that signing in with the new password will prevent sign-in with the old password.)
Reference: FAQ on Microsoft Entra device management
If I perform Microsoft Entra Join, will I be able to log in directly to Microsoft 365 Web apps and client applications like Microsoft Teams and Microsoft Office using Microsoft Edge or Google Chrome with extensions?
Yes, it will be possible.
You will be able to log in directly to Microsoft 365 Web apps and client applications like Microsoft Teams and Microsoft Office without going through HENNGE Access Control authentication in Microsoft Edge or Google Chrome with extensions.
This behavior depends on the technical specifications of Microsoft Entra Join, so please contact Microsoft for details.
What happens if I set a PIN on a Windows device?
If a PIN is set, the user information and authentication from HENNGE Access Control will not be used during Windows sign-in.
If I use HENNGE Access Control user information and authentication during Windows sign-in, will logs remain in the HENNGE Access Control access logs?
During Windows sign-in, legacy authentication (WS-Trust) is used, but logs for legacy authentication (WS-Trust) will not be retained in the HENNGE Access Control Administration.
Therefore, if you want to check the sign-in logs, please refer to the sign-in logs in the Microsoft Entra Admin Center.
Reference: How to plan the implementation of Microsoft Entra Join
Is it possible to configure authentication using the HENNGE Device Certificate during Windows sign-in?
During Windows sign-in, legacy authentication (WS-Trust) is used, but device certificates cannot be used with legacy authentication (WS-Trust).
Is it possible to configure authentication using device certificates for services other than Microsoft’s services?
If the service can read the HENNGE Access Control device certificate, configuration is possible.
However, please note that a device certificate is required for each Windows profile.
In the case where you are about to perform Microsoft Entra Join, you will first sign in to Windows with a local user.
After that, during Microsoft Entra Join, authentication from HENNGE Access Control will be requested, and a profile will be created after Microsoft Entra Join, so as follows, 2 device certificates will be required per user.
・One device certificate is required for local users
・One device certificate is required for Microsoft Entra users after signing in to Windows
To resolve the above, it is necessary to not include the condition that requires a device certificate in the access policy template at the time of Microsoft Entra Join, and to include it after joining Microsoft Entra.
Is additional configuration required to use HENNGE Access Control and Microsoft Entra Join together?
If you are using HENNGE Access Control and Microsoft Entra Join together, the following settings are additionally required on HENNGE Access Control.
1. Create a new access policy template that includes [uastr:"%Windows-AzureAD-Authentication-Provider%"] and the condition.
2. Open the access policy group to which the user using Microsoft Entra Join, select [Allow when] under [Allow legacy authentication], choose the access policy template that includes [uastr:"%Windows-AzureAD-Authentication-Provider%"] and the condition, and save it.
※ [Windows-AzureAD-Authentication-Provider/1.0] is the user agent for users who have performed license authentication via Microsoft Entra Join.
Due to future updates from Microsoft, the string for this user agent may change without prior notice.