question

KirazAyhan avatar image
0 Votes"
KirazAyhan asked vipulsparsh-MSFT commented

Deleting "User Azure AD registered" devices will block user from logging in to e.g. Office Portal

We have a Hybrid environment and the user authenticates with the local Active Directory (AD).


Unfortunately a few devices are now automatically azure ad registered in the Azure Active Directory (AAD).

We now use GPOs to prevent more devices to be joined automatically by the user.

After I try to delete these devices from the AAD, the user gets blocked and can't access to any ressources of our tenant e.g. Portal.office.com.

The licence of the thenant is "Azure AD Free".

Is there a way to separate the device and the user so I can just delete the device from AAD without affecting the user?

Best regards, Ayhan

azure-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

vipulsparsh-MSFT avatar image
0 Votes"
vipulsparsh-MSFT answered

@KirazAyhan-6286 Thanks for reaching out.

If your end goal is to have the devices joined to the Azure AD as Hybrid Azure AD join and Not like a Azure AD registered, you need to perform following :

Upgrading to Windows 10 1803 (with KB4489894 applied) or above to automatically address this scenario.
In pre-1803 releases, you will need to remove the Azure AD registered state manually before enabling Hybrid Azure AD join. In 1803 and above releases, the following changes have been made to avoid this dual state:

Any existing Azure AD registered state for a user would be automatically removed after the device is Hybrid Azure AD joined and the same user logs in. For example, if User A had an Azure AD registered state on the device, the dual state for User A is cleaned up only when User A logs in to the device.

If there are multiple users on the same device, the dual state is cleaned up individually when those users log in. In addition to removing the Azure AD registered state, Windows 10 will also unenroll the device from Intune or other MDM, if the enrollment happened as part of the Azure AD registration via auto-enrollment.

Azure AD registered state on any local accounts on the device is not impacted by this change. It is only applicable to domain accounts. So Azure AD registered state on local accounts is not removed automatically even after user logon, since the user is not a domain user.

Read more here : https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan#handling-devices-with-azure-ad-registered-state
Let us know if you have any questions.



Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

KirazAyhan avatar image
0 Votes"
KirazAyhan answered vipulsparsh-MSFT commented

Thank you @vipulsparsh-MSFT for your fast reply but what we just want to remove the devices in AAD and don't want them to join the AAD at all.

We can delete/disable the Devices there but as I said, that will block the user from the ressources.

Best, Ayhan

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@KirazAyhan-6286 Do you have any conditional access deployed for those users ? As the CA policy might need devices registered in Azure AD to be able to access corporate resources.
How does other users who do not have devices register to Azure AD access your corp data ?

0 Votes 0 ·

We just use GPOs to prevent the users from adding devices in Azure.

The other users just log in with their usual credentials from the local AD.

There are no other CA policies applied.

0 Votes 0 ·

@KirazAyhan Apologies for delay on this, if there is no CA policy, then it should not prevent them from accessing the portal. Can you tell the error message you see at that time ?

0 Votes 0 ·