Connect domain-joined devices to Azure AD for Windows 10 experiences
Domain join is the traditional way organizations have connected devices for work for the last 15 years and more. It has enabled users to sign in to their devices by using their Windows Server Active Directory (Active Directory) work or school accounts and allowed IT to fully manage these devices. Organizations typically rely on imaging methods to provision devices to users and generally use System Center Configuration Manager (SCCM) or Group Policy to manage them.
Domain join in Windows 10 will provide the following benefits after you connect devices to Azure Active Directory (Azure AD):
- Single sign-on (SSO) to Azure AD resources from anywhere
- Access to the enterprise Windows Store by using work or school accounts (no Microsoft account required)
- Enterprise-compliant roaming of user settings across devices by using work or school accounts (no Microsoft account required)
- Strong authentication and convenient sign-in for work or school accounts with Microsoft Passport and Windows Hello
- Ability to restrict access only to devices that comply with organizational device Group Policy settings
Domain join continues to be useful. However, to get the Azure AD benefits of SSO, roaming of settings with work or school accounts, and access to Windows Store with work or school accounts, you will need the following:
- Azure AD subscription
- Azure AD Connect to extend the on-premises directory to Azure AD
- Policy that's set to connect domain-joined devices to Azure AD
- Windows 10 build (build 10551 or newer) for devices
To enable Microsoft Passport for Work and Windows Hello, you will also need the following:
- Public key infrastructure (PKI) for user certificates issuance.
- System Center Configuration Manager version 1509 for Technical Preview. For more information, see Microsoft System Center Configuration Manager Technical Preview and System Center Configuration Manager Team Blog. This is required to deploy user certificates based on Microsoft Passport keys.
As an alternative to the PKI deployment requirement, you can do the following:
- Have a few domain controllers with Windows Server 2016 Active Directory Domain Services.
To enable conditional access, you can create Group Policy settings that allow access to domain-joined devices with no additional deployments. To manage access control based on compliance of the device, you will need the following:
- System Center Configuration Manager version 1509 for Technical Preview for Passport scenarios
To deploy, follow the steps listed in How to configure automatic registration of Windows domain-joined devices with Azure Active Directory