(2016-12-28) Joining Devices To Azure AD – The Options And The Differences

This blog post is about joining/registering devices to Azure and the differences between them.

–

The following types of relations exist between a device and Azure AD:

–

[A] “AD Domain Join” + “Auto Registration for AAD” (a.k.a. just AAD Domain Join):

This is the traditional way of joining a computer to an AD domain. If auto registration for AAD has been configured in the AD domain for Windows computers, then Win7/8.1/10 devices will also register in AAD automatically. The way how this is done differs for the windows versions. The device is managed through GPOs and/or SCCM on-premises.

In AAD the status of the device is:

• “DeviceTrustType = Domain Joined”
• “DeviceTrustLevel = Managed”.

Due to the trust type “Domain Joined”, the device would be able to access resources configured with conditional access. If you computer joined to your AD domain, then you should use this option. You can read more about it in the following blog post (2016-12-16) Automatic Azure AD Join With ADFS v3.0 And Higher And Conditional Access – What You Really Need In Detail.

–

[B] “Azure AD Join”:

This setting is the online version of joining a device to an AD domain. Instead of joining the device to the AD domain, the device is joined directory to the AAD tenant. It is the new way of setting up work devices for work (e.g. Windows 10 laptop) and using Azure AD as your online directory directly. When configured accordingly, it is possible to disallow Azure AD join to any user, allow it for specific people/groups or allow it for every user (self-service). When configured accordingly the device can also enrol into either Intune or the MDM solution that has been configured in Azure AD. The device is managed through the applicable MDM solution.

In AAD the status of the device is:

• “DeviceTrustType = Azure AD Joined”
• “DeviceTrustLevel = Compliant” (only when fulfilling compliancy requirements, otherwise it is managed)

Due to the trust level “Compliant”, the device would be able to access resources configured with conditional access. You should only use this if you are migrating from your on-premises AD to Azure AD or if you do not have or want to have an on-premises AD

Figure 1: The Link To The Azure AD Join Option

–

Figure 2: Azure AD Join For Work Related Devices

–

[C] “Workplace Join” (Windows 7/8.1) or “Add Work or School Account” (Windows 10) or a.k.a. just “Device Registration”

This the way to register personal devices with Azure AD to be able to access work related resources. The user will then be able to leverage SSO for work resources through apps and browser (Edge and IE). When configured accordingly, it is possible to either disallow device registration or allow device registration for every user (self-service). When configured accordingly the device can also enrol into either Intune or the MDM solution that has been configured in Azure AD. The device is managed through the applicable MDM solution.

In AAD the status of the device is:

• “DeviceTrustType = Workplace Joined”
• “DeviceTrustLevel = Compliant” (only when fulfilling compliancy requirements, otherwise it is managed)

Due to the trust level “Compliant”, the device would be able to access resources configured with conditional access. When enabling this it applies to every user with an AAD account. It is however possible to limit the number of registered devices per user. If MDM is used, it is also possible to configure for which users MDM i mandatory, being “None”, “Specific Groups” or “All”. You should use this if you allow people to register their personal devices.

Figure 3: “Add Work Or School Account” (Windows 10) Or A.K.A. Just “Device Registration” For Personal Devices

–

In addition

• Registered = device is known to Azure AD (a registered device can be managed or non-managed)
• Managed = Registered + managed by MDM solution (a managed device can be compliant or non-compliant)
• Compliant = Managed + full fills all compliancy rules

–

With regards to auto Azure AD joining computers to Azure you can read the following documentation:

• Automatic device registration with Azure Active Directory for Windows domain-joined devices
• How to configure automatic registration of Windows domain-joined devices with Azure Active Directory
• Configure automatic device registration for Windows 7 domain joined devices
• Configure automatic device registration for Windows 8.1 domain joined devices
• Connect domain-joined devices to Azure AD for Windows 10 experiences

….and if you also want to go all crazy about all kinds of details, you must definitely read Jairo’s blog posts about Azure AD join and related matters. These are:

• Setting up Windows 10 devices for work: Domain Join, Azure AD Join and Add Work or School Account
• How Domain Join is different in Windows 10 with Azure AD
• Azure AD Join: What happens behind the scenes?
• Azure AD and Microsoft Passport for Work in Windows 10
• How SSO works in Windows 10 devices

–

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————