Access on-premises resources from an Azure AD-joined device in Microsoft 365 Business

Any Windows 10 device that is Azure Active Directory joined will have access to all cloud-based resources such as your Office 365 apps and can be protected by Microsoft 365 Business. To also allow access to on-premises resources like Line Of Business (LOB) apps, file shares, and printers, you must synchronize your on-premises Active Directory with Azure Active Directory by using Azure AD Connect.

See Introduction to device management in Azure Active Directory to learn more. The steps are also summarized in the following sections.

Run Azure AD Connect

Complete the following steps to enable your organization's Azure AD joined devices to access on-premises resources.

  1. To synchronize your users, groups and contacts from local Active Directory into Azure Active Directory, run the Directory synchronization wizard and Azure AD Connect as described in Set up directory synchronization for Office 365.

  2. After the directory synchronization has completed, make sure your organization's Windows 10 devices are Azure AD joined. This step is done individually on each Windows 10 device. See Set up Windows devices for Microsoft 365 Business users for details.

  3. Once the Windows 10 devices are Azure AD joined, each user should reboot their devices and login with their Microsoft 365 Business credentials. All devices will now have access to on-premises resources as well.

No additional steps are required to get access to on-premises resources for Azure AD joined devices. This is built-in functionality available in Windows 10.

If your organization is not ready to deploy in the Azure AD Joined Device Configuration described above, consider setting up Hybrid Azure AD Joined device configuration.

Considerations when joining your Windows devices to Azure AD

If you are Azure AD joining a Windows device that has previously been domain-joined or in a workgroup, you need to consider the following limitations:

  • When a device Azure AD joins, it creates a new user without referencing an existing profile. To fix this, profiles need to be manually migrated. A user profile contains information like favorites, local files, browser settings, Start menu settings, etc. A best approach is to find a third-party tool to map existing files and settings to the new profile

  • If the device is using Group Policy Objects (GPO), some GPOs may not have a comparable Configuration Service Provider (CSP) in Intune. Run the MMAT tool to find comparable CSPs for existing GPOs.

  • Users will not be able to authenticate to applications that depend on Active Directory authentication. To deal with this evaluate using a legacy app and consider updating to an app that uses modern Auth if possible.

  • Active Directory printer discovery will not work. To fix this, provide direct printer paths for all users or leverage Hybrid Cloud Print.