Configure and manage device registration
With the proliferation of devices of all shapes and sizes and the bring your own device (BYOD) concept, IT professionals are faced with two somewhat opposing goals:
Allow end users to be productive wherever and whenever
Protect the organization's assets
To protect these assets, IT staff need to first manage the device identities. IT staff can build on the device identity with tools like Microsoft Intune to ensure standards for security and compliance are met. Azure Active Directory (Azure AD) enables single sign-on to devices, apps, and services from anywhere through these devices.
Your users get access to your organization's assets they need.
Your IT staff get the controls they need to secure your organization.
Azure AD registered devices
The goal of Azure AD registered devices is to provide your users with support for the BYOD or mobile device scenarios. In these scenarios, a user can access your organization’s Azure Active Directory controlled resources using a personal device.
|Azure AD registered||Description|
|Definition||Registered to Azure AD without requiring organizational account to sign in to the device|
|Device ownership||User or Organization|
|Operating systems||Windows 10, iOS, Android, and macOS|
|Device sign in options||
Azure AD registered devices are signed in to using a local account like a Microsoft account on a Windows 10 device, but additionally have an Azure AD account attached for access to organizational resources. Access to resources in the organization can be further limited based on that Azure AD account and Conditional Access policies applied to the device identity.
Administrators can secure and further control these Azure AD registered devices using Mobile Device Management (MDM) tools like Microsoft Intune. MDM provides a means to enforce organization-required configurations like requiring storage to be encrypted, password complexity, and security software kept updated.
Azure AD registration can be accomplished when accessing a work application for the first time or manually using the Windows 10 Settings menu.
A user in your organization wants to access tools for email, reporting time-off, and benefits enrollment from their home PC. Your organization has these tools behind a Conditional Access policy that requires access from an Intune compliant device. The user adds their organization account and registers their home PC with Azure AD and the required Intune policies are enforced giving the user access to their resources.
Another user wants to access their organizational email on their personal Android phone that has been rooted. Your company requires a compliant device and has created an Intune compliance policy to block any rooted devices. The employee is stopped from accessing organizational resources on this device.
Azure AD joined devices
Azure AD join is intended for organizations that want to be cloud-first or cloud-only. Any organization can deploy Azure AD joined devices no matter the size or industry. Azure AD join works even in a environment, enabling access to both cloud and on-premises apps and resources.
|Azure AD joined||Description|
|Definition||Joined only to Azure AD requiring organizational account to sign in to the device|
|Device sign in options||
Azure AD joined devices are signed in to using an organizational Azure AD account. Access to resources in the organization can be further limited based on that Azure AD account and Conditional Access policies applied to the device identity.
Administrators can secure and further control Azure AD joined devices using Mobile Device Management (MDM) tools like Microsoft Intune or in co-management scenarios using Microsoft Endpoint Configuration Manager. These tools provide a means to enforce organization-required configurations like requiring storage to be encrypted, password complexity, software installations, and software updates. Administrators can make organization applications available to Azure AD joined devices using Configuration Manager.
Azure AD join can be accomplished using self-service options like the Out of Box Experience (OOBE), bulk enrollment, or Windows Autopilot.
Azure AD joined devices can still maintain single sign-on access to on-premises resources when they are on the organization's network. Devices that are Azure AD joined can still authenticate to on-premises servers like file, print, and other applications.
Although Azure AD join is primarily intended for organizations that do not have an on-premises Windows Server Active Directory infrastructure, you can certainly use it in scenarios where:
You want to transition to cloud-based infrastructure using Azure AD and MDM like Intune.
You can’t use an on-premises domain join, for example, if you need to get mobile devices such as tablets and phones under control.
Your users primarily need to access Microsoft 365 or other SaaS apps integrated with Azure AD.
You want to manage a group of users in Azure AD instead of in Active Directory. This scenario can apply, for example, to seasonal workers, contractors, or students.
You want to provide joining capabilities to workers in remote branch offices with limited on-premises infrastructure.
You can configure Azure AD joined devices for all Windows 10 devices with the exception of Windows 10 Home.
The goal of Azure AD joined devices is to simplify:
Windows deployments of work-owned devices
Access to organizational apps and resources from any Windows device
Cloud-based management of work-owned devices
Users to sign in to their devices with their Azure AD or synced Active Directory work or school accounts.
Azure AD Join can be deployed by using a number of different methods. The following subsection focuses on the self-service experience method.
With Windows 10, it's possible for users to join a new device to Azure AD during the first-run experience (FRX), sometimes referred to as self-service experience. This capability enables you to distribute shrink-wrapped devices to your employees or students.
If either Windows 10 Professional or Windows 10 Enterprise is installed on a device, the experience defaults to the setup process for company-owned devices.
In the Windows out-of-box experience, joining an on-premises Active Directory (AD) domain is not supported. If you plan to allow users to join a computer to an AD domain, during setup, they should select the link Set up Windows with a local account. They can then join the domain from the settings on their computer.
To join a Windows 10 device, the device registration service must be configured to enable you to register devices. In addition to having permission to joining devices in your Azure AD tenant, you must have fewer devices registered than the configured maximum.
In addition, if your tenant is federated, your Identity provider MUST support WS-Fed and WS-Trust username/password endpoint. This can be version 1.3 or 2005. This protocol support is required to both join the device to Azure AD and sign in to the device with a password.
Join a Windows 10 device to Azure AD
When you turn on your new device and start the setup process, you should see the Getting Ready message. Follow the prompts to set up your device.
Start by customizing your region and language. Then review and accept the Microsoft Software License Terms.
Select the network you want to use for connecting to the Internet.
Click This device belongs to my organization.
Enter the credentials that were provided to you by your organization, and then click Sign in.
Your device locates a matching tenant in Azure AD. If you are in a federated domain, you are redirected to your on-premises Secure Token Service (STS) server, for example, Active Directory Federation Services (AD FS).
If you are a user in a non-federated domain, enter your credentials directly on the Azure AD-hosted page.
You are prompted for a multi-factor authentication challenge.
Azure AD checks whether an enrollment in mobile device management is required.
Windows registers the device in the organization’s directory in Azure AD and enrolls it in mobile device management, if applicable.
If you are:
- A managed user, Windows takes you to the desktop through the automatic sign-in process.
- A federated user, you are directed to the Windows sign-in screen to enter your credentials.
To verify whether a device is joined to your Azure AD, review the Access work or school dialog on your Windows device. The dialog should indicate that you are connected to your Azure AD directory.
Hybrid Azure AD joined devices
For more than a decade, many organizations have used the domain join to their on-premises Active Directory to enable:
IT departments to manage work-owned devices from a central location.
Users to sign in to their devices with their Active Directory work or school accounts.
Typically, organizations with an on-premises footprint rely on imaging methods to provision devices, and they often use Configuration Manager or group policy (GP) to manage them.
If your environment has an on-premises AD footprint and you also want benefit from the capabilities provided by Azure Active Directory, you can implement hybrid Azure AD joined devices. These devices are devices that are joined to your on-premises Active Directory and registered with your Azure Active Directory.
|Hybrid Azure AD joined||Description|
|Definition||Joined to on-premises AD and Azure AD requiring organizational account to sign in to the device|
|Device sign in options||
Use Azure AD hybrid joined devices if:
You have Win32 apps deployed to these devices that rely on Active Directory machine authentication.
You want to continue to use Group Policy to manage device configuration.
You want to continue to use existing imaging solutions to deploy and configure devices.
You must support down-level Windows 7 and 8.1 devices in addition to Windows 10.