I am setting up an application that will use AzureAD as an OpenID Connect IDP for authentication. I want to know if the authenticating device is an AzureAD "managed" or "compliant" device at the application level by checking the returned JWT access token. There is an optional "platf" JWT claim that can be configured on the AzureAD SSO application dashboard and is described as "Restricted to managed devices that can verify device type". I enabled the claim and observed it is a number in the access JWT token returned by AzureAD. I assume it maps to an enum; however, I cant find any documentation about what status each integer indicates. Has anyone used this claim or know what it represents? Or perhaps a different method of determining if the authenticating device is AzureAD managed?
Asked
Active
Viewed 60 times
0
-
It's not a standard claim as per the openid connect spec and googling for "platfm" gives nothing whatsover. At the bottom of the microsoft doc there is a comment section and links to the doc repo on github. I think you want to try contacting them there. Nobody but the guy who implemented that would have a clue. https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims#configuring-groups-optional-claims – user5994461 Apr 22 '20 at 19:10
-
@user5994461 Already did that, no response yet :( https://github.com/MicrosoftDocs/azure-docs/issues/52310 – user571191 Apr 23 '20 at 18:08