Azure Cloud Shell: Add support for Device Conditional Access

[lly-unik]

Environment

Windows build number: 10.0.19042.572
Windows Terminal version (if applicable): 1.3.2651.0

Steps to reproduce

Open Azure Cloud shell and attempt to connect with our Azure tenant

Pre-requisite

Our company uses Azure Conditional Access policies and require computers to be domain-joined devices in order to connect with our tenant without multi-factor.

Expected behavior

I would expect the cloud shell to connect once I completed the steps listed in the prompt (i.e. enter pin from device login web site)
https://devblogs.microsoft.com/commandline/the-azure-cloud-shell-connector-in-windows-terminal/

Actual behavior

I receive the following error:
AADSTS53001: Device is not in required device state: domain_joined. Conditional Access policy requires a domain joined device, and the device is not domain joined.
Trace ID: 24bab79e-1e96-4524-abd1-833c53a30d00
Correlation ID: ddbce269-f8ca-41e5-9d92-d9bb4d63320f
Timestamp: 2020-10-30 07:27:02Z

Additional notes

I've been made aware, that we've seen a similar error when using the Azure Storage Explorer.
https://feedback.azure.com/forums/217298-storage/suggestions/36283420-conditional-access-support-for-storage-explorer

[Don-Vito]

Not an expert, but were you performing the Device Code Flow (entering device code into prompt)? Asking this because there is a known limitation in the Conditional Access, where it is not aware of the device state, as described here.

[lly-unik]

Yes, I believe this was what I was trying to do. I just opened the Azure Cloud Shell tab and wanted to authenticate using the flow suggested in the terminal.

What your suggesting is, that we should adjust our conditional access policies according to the above description? So I should be prompted for a multi-factor control when trying to connect through the Azure Cloud Shell?

I'll try and see if I'm able to test this and report back the results.

[Don-Vito]

If it is OK with the security policies of your company, instead of requiring device state related conditions for the relevant apps, you can require user related conditions like MFA. An example can be found https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/untrusted-networks.
Of course you can provide additional scoping of this policy to specific apps, users, etc.

[DHowett]

Thanks. This is, as you astutely note, due to us using device login. We will almost certainly have to rearchitect how login works, but we're not equipped to do so.

I'm going to put this up on the backlog. Let me know if your conditional access policy change helps 😄

[Don-Vito]

@DHowett - it's more a feature than a bug. IMHO the device login flow is a good choice for terminal, as it is simple and interactive, though it has some limitations with specific Conditional Access requirements. I guess we simply need to add some addition way to authenticate for users that device login doesn't fit their needs (service principal?)