it could be something simple like allowing the graph api url change in the admin gui. Then you will choose between device check and user check.
Le mar. 31 oct. 2023 à 14:17, Corey Keeling (Shared Services - Staff) < [email protected]> a écrit : > From looking at that file you linked me to the %username in my case is the > AzureAD deviceID of the machine as that’s what I have set the certificate > subject too. CN={{DeviceID}}. > > That graph search is looking under users, so it won’t return any groups > for my device. It would just error out. > > I imagine I could change that graph query in that file to one that > searches groups instead but would need to test. > > Is there any planned support for device lookup? > > *Corey Keeling *| *Senior IT Technician* > > > > *All support requests to* > > Parkside: [email protected] > > Coleridge: [email protected] > > Trumpington: [email protected] > > CAST: [email protected] > > Galfrid: [email protected] > > Shared Services: [email protected] > > > [image: Image] > > > > > > ------------------------------ > *From:* Fabrice Durand <[email protected]> > *Sent:* Tuesday, October 31, 2023 6:06:11 PM > *To:* [email protected] < > [email protected]> > *Cc:* Corey Keeling (Shared Services - Staff) < > [email protected]> > *Subject:* Re: [PacketFence-users] Query AzureAD Device Groups > > You don't often get email from [email protected]. Learn why this is > important <https://aka.ms/LearnAboutSenderIdentification> > Caution: This is an external email and may be malicious. Please take care > when clicking links or opening attachments. > > > If i am not wrong the Azure AD test the user and not the machine > > https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/Authentication/Source/AzureADSource.pm#L28 > > Regards > Fabrice > > > Le mar. 31 oct. 2023 à 13:23, Corey Keeling (Shared Services - Staff) via > PacketFence-users <[email protected]> a écrit : > > Dear community, > > I have been setting up and testing out PacketFence for a number of weeks > now and have it setup so that users can authenticate to our BYOD network > using EAP-TLS. I also have it sort of setup to allow school azureAD devices > to connect to our curriculum network using machine certificates. The second > part only works if I don't set any conditions under my AzureAD > authentication sources. > > I have tried to set a condition for membership of a AzureAD group using > the memberof option either with the Object ID of the group or it's display > name, but it doesn't seem to work. No role gets assigned so it fails to > connect. There doesn't even seem to be any audit log of PacketFence trying > to query a group on the app registration end. > > > I know I can query the graph API via graph explorer and can find the > groups my machine belongs too, but can PacketFence do something similar and > if so, how? > > The query that I used. > > https://graph.microsoft.com/v1.0//devices(deviceId='{deviceid}')/memberOf > <https://graph.microsoft.com/v1.0//devices(deviceId='%7B8df07f7e-d98e-4579-aa97-bfcfaaa7fe38%7D')/memberOf> > > Regards > > *Corey Keeling *| *Senior IT Technician* > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > >
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
