adfs02According to the Intune alerts you may run into issues when using Windows Phone 8.1, Microsoft Intune together with ADFS for device registration and authentication on your own Active Directory domain instead of directly in Azure Active Directory. Let’s have a look.

If you use  ADFS for on-premises device registration you may have configured a setting called DeviceAuthenticationEnabled to be enabled in the ADFS global authentication policy. Because of this setting users with a Windows Phone cannot authenticate while accessing the Company Portal. Users will be redirected to the Sign In button on the Windows Phone every time you supply your UPN. The redirection to the AD FS logon screen will not happen.

There are currently two workarounds to give access to your users with a Windows Phone device;

Workaround one:

Redirect them to instead of the company portal is your company needs the device to be registered via ADFS.

Workaround two:

Disable the DeviceAuthenticationEnabled option. THis can be done by following the next steps;

  1. Start the AD FS Management console
  2. Go to AD FS > Authentication Policies
  3. Click Edit Global Primary Authentiaction in the Authentication Policy pane
  4. Disable the option Enable Device Reigstration
Disable the option

Disable the option Enable device registration

After disabling this option the users will get access to the Company Portal again.

When using a Insiders Build of Windows 10 Mobile you will be able to access the company portal with and without the setting enabled.

When using Azure Active Directory Connect with device registration in Azure AD enabled and device write back configured registered devices will be synchronized to your Active Directory on premisse.