Azure AD - SAML - Intune - ismanaged attribute

Question

Hi all,

potentially it is a beginners question, but I hope someone can give me a hint where I have to look to.

We have Azure AD and Intune as MDM. We set up SAML with several applications. In the SAML message I need the ismanaged claim (http://schemas.microsoft.com/2012/01/devicecontext/claims/ismanaged) in the SAML message as attribute to create on that some security policies on the connected application.

Do you have some information where I have to start? Conditional Access?

Thank you in advance
Seb

Accepted Answer

Hi all,

for all who have the same question or challenge. I found it out myself.

You have to add the following settings to your app manifest within App Registration on Azure

"optionalClaims": {
        "idToken": [],
        "accessToken": [],
        "saml2Token": [
            {
                "name": "is_device_managed",
                "source": null,
                "essential": true,
                "additionalProperties": []
            }
        ]
    },

Then the attribute "http://schemas.microsoft.com/2012/01/devicecontext/claims/ismanaged" will be populated in the SAML assertion, when the device is managed.

Within our environment it only works with Edge/IE on desktop and Edge on iOS devices.

Hope that helps others as well.

Best regards
Seb

Answer

Hi,

thank you very much for your quick and your provided solution. I will give it a try.

In the claims reference I found the ismanaged claim in section "SAML restricted claim set"
https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-claims-mapping-policy-type

Due to that I am asking myself when it will come to play?

Best regards
Seb

Azure AD - SAML - Intune - ismanaged attribute

1 additional answer