Plan your Azure Active Directory device deployment

This article helps you evaluate the methods to integrate your device with Azure AD, choose the implementation plan, and provides key links to supported device management tools.

The landscape of devices from which your users sign in is expanding. Organizations may provide desktops, laptops, phones, tablets, and other devices. Your users may bring their own array of devices, and access information from varied locations. In this environment, your job as an administrator is to keep your organizational resources secure across all devices.

Azure Active Directory (Azure AD) enables your organization to meet these goals with device identity management. You can now get your devices in Azure AD and control them from a central location in the Azure portal. This gives you a unified experience, enhanced security, and reduces the time needed to configure a new device.

There are multiple methods to integrate your devices into Azure AD:

Learn

Before you begin, make sure that you're familiar with the device identity management overview.

Benefits

The key benefits of giving your devices an Azure AD identity:

  • Increase productivity – With Azure AD, your users can do seamless sign-on (SSO) to your on-premises and cloud resources, which enables them to be productive wherever they are.

  • Increase security – Azure AD devices enable you to apply Conditional Access policies to resources based on the identity of the device or user. Conditional Access policies can offer extra protection using Azure AD Identity Protection. Joining a device to Azure AD is a prerequisite for increasing your security with a Passwordless Authentication strategy.

  • Improve user experience – With device identities in Azure AD, you can provide your users with easy access to your organization’s cloud-based resources from both personal and corporate devices. Administrators can enable Enterprise State Roaming for a unified experience across all Windows devices.

  • Simplify deployment and management – Device identity management simplifies the process of bringing devices to Azure AD with Windows Autopilot, bulk provisioning, and self-service: Out of Box Experience (OOBE). You can manage these devices with Mobile Device Management (MDM) tools like Microsoft Intune, and their identities in Azure portal.

Training resources

Video: Conditional access with device controls

FAQs: Azure AD device management FAQ and Settings and data roaming FAQ

Plan the deployment project

Consider your organizational needs while you determine the strategy for this deployment in your environment.

Engage the right stakeholders

When technology projects fail, they typically do so due to mismatched expectations on impact, outcomes, and responsibilities. To avoid these pitfalls, ensure that you are engaging the right stakeholders and that stakeholder roles in the project are well understood.

For this plan, add the following stakeholders to your list:

Role Description
Device administrator A representative from the device team that can verify that the plan will meet the device requirements of your organization.
Network administrator A representative from the network team that can make sure to meet network requirements.
Device management team Team that manages inventory of devices.
OS-specific admin teams Teams that support and manage specific OS versions. For example, there may be a Mac or iOS focused team.

Plan communications

Communication is critical to the success of any new service. Proactively communicate with your users how their experience will change, when it will change, and how to gain support if they experience issues.

Plan a pilot

We recommend that the initial configuration of your integration method is in a test environment, or with a small group of test devices. See Best practices for a pilot.

Hybrid Azure AD join deployment is straightforward, and it's 100% an administrator’s task without end user action necessary. You may want to do a controlled validation of hybrid Azure AD join before enabling it across the entire organization all at once.

Choose your integration methods

Your organization can use multiple device integration methods in a single Azure AD tenant. The goal is to choose the method(s) suitable to get your devices securely managed in Azure AD. There are many parameters that drive this decision including ownership, device types, primary audience, and your organization’s infrastructure.

The following information can help you decide which integration methods to use.

Decision tree for devices integration

Use this tree to determine options for organization-owned devices.

Note

Personal or bring-your-own device (BYOD) scenarios are not pictured in this diagram. They always result in Azure AD registration.

Decision tree

Comparison matrix

iOS and Android devices may only be Azure AD registered. The following table presents high-level considerations for Windows client devices. Use it as an overview, then explore the different integration methods in detail.

Consideration Azure AD registered Azure AD join Hybrid Azure AD join
Client operating systems
Windows 10 devices Checkmark for these values. Checkmark for these values. Checkmark for these values.
Windows down-level devices (Windows 8.1 or Windows 7) Checkmark for these values.
Sign in options
End-user local credentials Checkmark for these values.
Password Checkmark for these values. Checkmark for these values. Checkmark for these values.
Device PIN Checkmark for these values.
Windows Hello Checkmark for these values.
Windows Hello for Business Checkmark for these values. Checkmark for these values.
FIDO 2.0 security keys Checkmark for these values. Checkmark for these values.
Microsoft Authenticator App (passwordless) Checkmark for these values. Checkmark for these values. Checkmark for these values.
Key capabilities
SSO to cloud resources Checkmark for these values. Checkmark for these values. Checkmark for these values.
SSO to on-premises resources Checkmark for these values. Checkmark for these values.
Conditional Access
(Require devices be marked as compliant)
(Must be managed by MDM)
Checkmark for these values. Checkmark for these values. Checkmark for these values.
Conditional Access
(Require hybrid Azure AD joined devices)
Checkmark for these values.
Self-service password reset from the Windows login screen Checkmark for these values. Checkmark for these values.
Windows Hello PIN reset Checkmark for these values. Checkmark for these values.
Enterprise state roaming across devices Checkmark for these values. Checkmark for these values.

Azure AD Registration

Registered devices are often managed with Microsoft Intune. Devices are enrolled in Intune in a number of ways, depending on the operating system.

Azure AD registered devices provide support for Bring Your Own Devices (BYOD) and corporate owned devices to SSO to cloud resources. Access to resources is based on the Azure AD Conditional Access policies applied to the device and the user.

Registering devices

Registered devices are often managed with Microsoft Intune. Devices are enrolled in Intune in a number of ways, depending on the operating system.

BYOD and corporate owned mobile device are registered by users installing the Company portal app.

If registering your devices is the best option for your organization, see the following resources:

Azure AD join

Azure AD join enables you to transition towards a cloud-first model with Windows. It provides a great foundation if you're planning to modernize your device management and reduce device-related IT costs. Azure AD join works with Windows 10 devices only. Consider it as the first choice for new devices.

However, Azure AD joined devices can SSO to on-premises resources when they are on the organization's network, can authenticate to on-premises servers like file, print, and other applications.

If this is the best option for your organization, see the following resources:

Provisioning Azure AD Join to your devices

To provision Azure AD Join, you have the following approaches:

If you have either Windows 10 Professional or Windows 10 Enterprise installed on a device, the experience defaults to the setup process for company-owned devices.

Choose your deployment procedure after careful comparison of these approaches.

You may determine that Azure AD Join is the best solution for a device, and that device may already be in a different states. Here are the upgrade considerations.

Current device state Desired device state How-to
On-premises domain joined Azure AD Join Unjoin the device from on-premises domain before joining to Azure AD
Hybrid Azure AD Join Azure AD Join Unjoin the device from on-premises domain and from Azure AD before joining to Azure AD
Azure AD registered Azure AD Join Unregister the device before joining to Azure AD

Hybrid Azure AD join

If you have an on-premises Active Directory environment and you want to join your Active directory domain-joined computers to Azure AD, you can accomplish this with hybrid Azure AD join. It supports a broad range of Windows devices, including both Windows current and Windows down-level devices.

Most organizations already have domain joined devices and manage them via Group Policy or System Center Configuration Manager (SCCM). In that case, we recommend configuring hybrid Azure AD Join to start getting benefits while leveraging existing investment.

If hybrid Azure AD join is the best option for your organization, see the following resources:

Provisioning hybrid Azure AD join to your devices

Review your identity infrastructure. Azure AD Connect provides you with a wizard to configure hybrid Azure AD Join for:

If installing the required version of Azure AD Connect isn't an option for you, see how to manually configure Hybrid Azure AD join.

Note

The on-premises domain-joined Windows 10 device attempts to auto-join to Azure AD to become Hybrid Azure AD joined by default. This will only succeed if you haves set up the right environment.

You may determine that Hybrid Azure AD Join is the best solution for a device, and that device may already be in a different state. Here are the upgrade considerations.

Current device state Desired device state How-to
On-premises domain join Hybrid Azure AD Join Use Azure AD connect or AD FS to join to Azure
On-premises workgroup joined or new Hybrid Azure AD Join Supported with Windows Autopilot. Otherwise device needs to be on-premises domain joined before Hybrid Azure AD Join
Azure AD joined Hybrid Azure AD Join Unjoin from Azure AD, which puts it in the on-premises workgroup or new state.
Azure AD registerd Hybrid Azure AD Join Depends on Windows version. See these considerations.

Manage your devices

Once you have registered or joined your devices to Azure AD, use the Azure portal as a central place to manage your device identities. The Azure Active Directory devices page enables you to:

Make sure that you keep the environment clean by managing stale devices, and focus your resources on managing current devices.

Supported device management tools

Administrators can secure and further control these registered and joined devices using additional device management tools. These tools provide a means to enforce organization-required configurations like requiring storage to be encrypted, password complexity, software installations, and software updates.

Review supported and unsupported platforms for integrated devices:

Device management tools Azure AD registered Azure AD join Hybrid Azure AD join
Mobile Device Management (MDM)
Example: Microsoft Intune
Checkmark for these values. Checkmark for these values. Checkmark for these values.
Co management with Microsoft Intune and Microsoft Endpoint Configuration Manager
(Windows 10 and later)
Checkmark for these values. Checkmark for these values.
Group policy
(Windows only)
Checkmark for these values.

We recommend that you consider Microsoft Intune Mobile Application management (MAM) with or without device management for registered iOS or Android devices.

Administrators can also deploy virtual desktop infrastructure (VDI) platforms hosting Windows operating systems in their organizations to streamline management and reduce costs through consolidation and centralization of resources.

Troubleshoot device identities

If you experience issues with completing hybrid Azure AD join for domain-joined Windows devices, see:

Next steps