Hi Team, We are joining Windows 10 machines to Azure AD and machines are not part of any domain. They are in WORKGROUP. We are not using any on-premises Active Directory domain and users are having accounts in Azure AD with domain.onmicrosoft.com account . Plan is to add the workgroup machines to Azure AD. In this case: What all policies can be applied to this workgroup machine if they are Azure AD joined? Whether multiple users can login to the same Windows 10 machine once they are Azure AD joined? Or the machine should be joined to an Active Directory domain to achieve this functionality? If machines are in workgroup and Azure AD joined, whether they can be enrolled and managed using Intune/Endpoint Manager? Thanks, Anjana

@Anjana R Thanks for reaching out. 1) There is no device management policies which gets applied when you join it to Azure AD. For that you will have to use Intune portal and setup Auto enrollment to Intune if you want this. (Auto Enrollment makes it easier ) 2) Yes, multiple users can login with their Azure AD account on the Azure AD Joined Devices. 3) Yes they can be directly enrolled in Intune either when they are Azure AD joined or even when they are not Azure AD join. Here are few links which will help you further : Different Methods to Enroll the Windows machine to Intune : https://learn.microsoft.com/en-us/mem/intune/enrollment/windows-enrollment-methods Managing Windows 10 with Intune : https://www.microsoft.com/en-us/insidetrack/managing-windows-10-devices-with-microsoft-intune Planning Azure AD join Deployments : https://learn.microsoft.com/en-us/azure/active-directory/devices/azureadjoin-plan Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Azure AD Join and workgroup machines

Accepted answer

VipulSparsh-MSFT 16,231 Reputation points Microsoft Employee

2021-09-29T04:33:16.34+00:00
@Anjana R Thanks for reaching out.

1) There is no device management policies which gets applied when you join it to Azure AD. For that you will have to use Intune portal and setup Auto enrollment to Intune if you want this. (Auto Enrollment makes it easier )

2) Yes, multiple users can login with their Azure AD account on the Azure AD Joined Devices.

3) Yes they can be directly enrolled in Intune either when they are Azure AD joined or even when they are not Azure AD join.

Here are few links which will help you further :

Different Methods to Enroll the Windows machine to Intune : https://learn.microsoft.com/en-us/mem/intune/enrollment/windows-enrollment-methods

Managing Windows 10 with Intune : https://www.microsoft.com/en-us/insidetrack/managing-windows-10-devices-with-microsoft-intune

Planning Azure AD join Deployments : https://learn.microsoft.com/en-us/azure/active-directory/devices/azureadjoin-plan

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
Please sign in to rate this answer.
Anjana R 156 Reputation points

2021-09-29T11:25:15.817+00:00

Thanks for your response.

For point #2, I am unable to login to the Azure AD joined machine with a second user ID and the user ID I am using is of the format userB@keyman .onmicrosoft.com. And domain is the default domain when registering the tenant. I have joined the machine to Azure AD using userA@keyman .onmicrosoft.com after logging in to the machine from Settings option. Are there any specific steps for allowing other users to login to the same machine?

VipulSparsh-MSFT 16,231 Reputation points Microsoft Employee

2021-09-29T11:44:20.347+00:00

@Anjana R Yes you are logging in with correct format, may I know what is the error message you are seeing ?

Anjana R 156 Reputation points

2021-09-29T12:25:26.98+00:00

I have provisioned a local Windows 10 VM in Azure and accessing it through RDP. l logged in to machine using local Admin account and joined to Azure AD using first account (UserA@keyman .onmicrosoft.com). And it is then showing under Devices of the first account. For the second account (UserB) unable to login through RDP, not accepting the username and password. In fact, just realized that I am unable to login with first account as well using RDP after joining to Azure AD. It says "the logon attempt failed".

Please note I don't have any custom domain yet and using onmicrosoft.com cloud accounts and machines are Workgroup machines.

VipulSparsh-MSFT 16,231 Reputation points Microsoft Employee

2021-09-30T04:28:02.687+00:00

@Anjana R - Ok This is more of a not being able to RDP into Azure VM question then Azure AD joined behavior with multiple users. For connecting to Azure VM, please check following check following : https://charbelnemnom.com/log-in-with-rdp-to-a-windows-azure-vm-using-azure-ad/
I

Anjana R 156 Reputation points

2021-09-30T11:51:41.84+00:00

@VipulSparsh-MSFT - Yes, I came across similar articles to edit the RDP file and adding those 2 entries to enable the access. It works after that which gives me the option sign in as other user.

But is this option recommended, especially when we have multiple users as they need to download and edit the RDP file to gain access?

Also, when we have a physical machine shared across multiple users whether we will face similar issue?

VipulSparsh-MSFT 16,231 Reputation points Microsoft Employee

2021-09-30T12:50:26.417+00:00

@Anjana R Physical machines wont have this issue. This is only for Azure VMs where you have to do this step.

Anjana R 156 Reputation points

2021-09-30T13:17:08.613+00:00

Thanks @VipulSparsh-MSFT .

I believe then the scenario would be same even if we add a custom domain name in Azure, because it is again another Azure AD directory and not the full fledged AD DS to add the users from GUI.

One last question, whether Azure B2B Guest users can be granted access to these machines in similar fashion and can login to the machines (virtual or physical)? And Intune device management policies can be applied to Azure B2B users?

VipulSparsh-MSFT 16,231 Reputation points Microsoft Employee

2021-10-01T05:19:22.527+00:00

@Anjana R You can not login to a Azure AD joined machine with a B2B user. It will result in this error.

Anjana R 156 Reputation points

2021-10-01T11:13:34.977+00:00

@VipulSparsh-MSFT - So, that means they can be granted access only for applications in hosting organization. Does that also means they can't be managed using MDM or MAM policies in hosting organization?
https://learn.microsoft.com/en-us/answers/questions/230170/can-intune-mdm-being-used-for-guest-users.html

VipulSparsh-MSFT 16,231 Reputation points Microsoft Employee

2021-10-01T11:19:26.333+00:00

@Anjana R - No it cannot work with Azure AD B2B users. Reason being, the device will always contact their home tenant for any policy check while doing Device Authentication. While You will be able to target the external users with intune policy but will be of no use when it comes to implementing them to Devices. As Intune will first try to authenticate the device before fetching any user level policy and Device auth will fail for external users.

Anjana R 156 Reputation points

2021-10-01T11:35:39.447+00:00

@VipulSparsh-MSFT - Ok, this applies to App policies as well or can those be configured for external users in tenant hosting the applications?

VipulSparsh-MSFT 16,231 Reputation points Microsoft Employee

2021-10-01T12:33:16.977+00:00

@Anjana R Nope, App protection policy wont work for guest user. Intune tags the policy to home tenant only. Guest user currently do not have option to select a tenant while logging in. A guest user might have multiple App protection policy, so choosing 1 wont be possible. hence it is not supported and functional at all.

here is a great article which talks about how to securely give access to guest users : https://learn.microsoft.com/en-us/microsoft-365/solutions/create-secure-guest-sharing-environment?view=o365-worldwide

Anjana R 156 Reputation points

2021-10-01T20:27:59.757+00:00

@VipulSparsh-MSFT - thank you so much for your answers.
Sign in to comment

Azure AD Join and workgroup machines

0 additional answers