Intune Domain Name Limitation and Workaround

Microsoft Intune has a limitation of not being able to provide the domain value of the device. Due to this, if Intune is chosen as the source of device data sync, App Portal does not currently have support for license governance capabilities like license reservation and license reclamation. This is because device domain is an important value while getting license position and usage details from FlexNet Manager Suite. Due to this limitation, for customers who have a comanaged setup where they are using both Configuration Manager and Intune, for now, the recommendation would be to use Configuration Manager as the source of data sync until Intune provides the capability to fetch domain name.

However, if Intune is chosen as the source for data sync, a workaround is provided to fetch the device domain data which is mentioned below

Workaround to Get Domain Names of Devices

There are two workaround options:

Option 1 
Option 2 

Option 1

The DomainName property in the REST API response from Intune has a null value even when a device is part of a domain. The workaround here is to use another property in Azure Active Directory where the domain name can be saved, which App Portal can access and save during data sync.

While syncing data from On-Premises Active Directory to Azure Active Directory, the value in the dNSHostName field of Active Directory can be appended to the OperatingSystemVersion field in Azure Active Directory. OperatingSystemVersion has been chosen as the recommendation, as this is a field that App Portal doesn't use out of the box. You can choose to use another string property that you prefer which exists in Azure Active Directory, but not a column in the WD_Computer table of the App Portal database. This can be done using the Synchronization Rules Editor tool where Azure AD Connect tool is installed. The domain name of the device can be appended to the OperatingSystemVersion field in Azure Active Directory. App Portal, during data sync, will extract the domain name from this field in Azure Active Directory and map it to the MachineDomain column in the WD_Computer table.

If OperatingSystemVersion is the chosen field, run the following query to update the value in the App Portal database.

Update WD_AppSettings Set Value = 'operatingsystemversion' Where KeyName = 'IntuneAzureADDeviceDomainPropertyName'

Option 2

Use this option when your organization is using single domain across devices. The domain value can be directly updated by running the query below, where 'YourOrganizationDomain' here refers to the name of the domain. Replace 'YourOrganizationDomain' with the exact domain name.

Update WD_AppSettings Set Value = 'YourOrganizationDomain' Where KeyName = 'IntuneDefaultDomainValueForDevice'

A combination of the two workaround options can also be used. If no value after the '||' delimiter is found for a device, and if 'YourOrganizationDomain' entry is inserted as mentioned in option 2, such devices end up having App Portal as the domain in the MachineDomain column of WD_Computer table.

For all these options to work, a data sync needs to be run after the database changes are applied.

As domain name is a mandatory field in the WD_Computer table in the App Portal database, if no value is found, the DeviceId value from Azure Active Directory for the device is mapped to this field. This is the default behavior and the values of 'IntuneAzureADDeviceDomainPropertyName' and 'IntuneDefaultDomainValueForDevice' are empty out of the box.

Steps to Map Device Domain Value Using Azure AD Connect

Refer to the following sections show how to:

Creating Inbound Rule 
Creating Outbound Rule 

Creating Inbound Rule

To create an inbound rule

1. Go to the server where Azure AD Connect tool is installed.
2. Open the Synchronization Rules Editor filter rules by selecting Direction = Inbound and MV Object Type = device.
3. This will list all the inbound rules which are applicable for devices/computers.
4. Search for Connector Object Type as computer. Select the rule and click the Edit option from the buttons section found below.
5. After clicking the Edit button, it will pop up a confirmation message. Click Yes. This will clone the selected rule in to a new one and the selected rule will be disabled.
6. Under the Description section, provide value for Precedence. This should be anything below 100, such as 90.
7. Select the Transformation option and change the values as mentioned below for the deviceOSVersion field available under Target Attribute section.
FlowType = Expression
If the value of dNSHostName in on-premises Active Directory is in subdomain.domain.com format then, the value for source can be:

Source = [operatingSystemVersion] & "||" & Word([dNSHostName],2,".") & "." & Word([dNSHostName],3,".") & "." & Word([dNSHostName],4,".")

Here we are combining operatingSystemVersion and dNSHostName fields separated by ||(double pipe line symbols) and the value of OperatingSystemVersion in Azure Active Directory for devices will look like the following.

The expression can be modified based on the format of the value needed, but it should follow the operatingSystemVersion||domainValue format.

8. Finally, click Save. The above changes will be synced whenever the synchronization cycle runs.

Creating Outbound Rule

To create an outbound rule

1. Open the Synchronization Rules Editor and filter rules by selecting Direction = Outbound
and MV Object Type = device.

This will list all the outbound rules which are applicable for devices/computers.

2. To create a new outbound rule, click Add new rule. This opens a new window.
3. Under the Description section, provide the name as Out to AAD - Custom Device OperatingSystemVersion and provide a suitable description.
4. Select the appropriate Connected System.
5. Select device under Connected System Object Type.
6. Select device under Metaverse Object Type.
7. Link Type should be Join.
8. The Precedence value should be between 1 - 100. Click Next.
9. Under the Scoping Filter section, click Add Group and then Add clause. Add the following three clauses.

Technology

 

 

cloudCreated

EQUAL

false

userCertificate

ISNOTNULL

 

cloudFiltered

NOTEQUAL

true

10. Click Tranformations and then Add Tranformation.
11. Select Direct FlowType, Target attribute as deviceOSVersion and Source as deviceOSVersion.
12. Finally click the Add button. This creates a new outbound rule and changes are synced whenever synchronization cycle runs. To trigger an immediate sync, an Admin can run the following power shell script: Start-AdSyncSyncCycle.