Azure active directory first introduced with Microsoft Office 365 to manage identities and authentication of Office 365 users. It is a multi-tenant cloud based directory and identity management service which can provide Singe-Sign-on (SSO) to many cloud based SaaS Applications like Office365, Salesforce.com, DropBox, and Concur.
Azure AD also includes a full suite of identity management capabilities including multi-factor authentication, device registration, self-service password management, self-service group management, privileged account management, role based access control, application usage monitoring, rich auditing and security monitoring and alerting. These capabilities can help secure cloud based applications
What is Azure AD Join
With windows 10 you can join your computer to Azure active directory and sign on using AAD credentials. This will not replace what you can do with on premise active directory. Instead its provide cloud based centralized management of devices and users.
Why Join to Azure AD
Azure AD join is a new feature which only available to Windows 10 OS devices. With AAD join you can get various management and security features and they are improving day by day. Following are the main reasons why you should join you device to Azure Active Directory.
- Single Sign On
You will be login to the cloud identity so no need to provide the authentication again. This will provide easy access to cloud resources.
- MDM registration
Mobile devices can be joined to Azure AD so they are automatically enrolled to mobile device management. Management can done through Windows Intune or other partner mobile management solutions. And they can be manage/ monitor with other Azure AD joined or domain joined devices using SCCM.
- Enterprise State Roaming
Accessibility settings, websites, Wi-Fi passwords, and other settings are synchronized across corporate-owned devices without requiring a personal Microsoft account.
Before configuring Azure AD join, you should have an Azure Active directory, if you are looking to test this configuration you can use a trial from Office 365 or Microsoft Intune. Also you can add your custom domain to the tenant. After that you have to enable the device registration in Azure AD.
- Login to the Azure portal
https://manage.windowsazure.com or you can login to the Office 365 Admin portal and through that navigate to the Azure AD from Admin Center.
- Select the Azure active directory
- Click the configure tab and navigate to devices
- Select users may join device to Azure AD
Also you can define Additional administrator for device, With Azure AD Premium, you can choose which users are granted local administrator rights to the device. Global Administrators and the device owner are granted local administrator rights by default.
- Click Save
How to join your device to Azure AD
There are two ways to join to Azure AD
- Joining from Out of the box experience – OOBE
- Joining from running machine
When windows first setup you can join it to Azure AD, This is called Out of the box experience. You can provide your Azure AD credentials so the device will be enrolled to Azure AD.
Also you can do an Azure AD join from already running machine. Go to the Settings – System and click about tab.
Next click the Connect to work or school and click +Connect icon
From next window select join this device to Azure active directory
When prompted, fill the Azure Active directory account name and password.
Next it will ask to verify the organization, click Join and it will start the enrolment process and finish up in few minutes. A reboot is required, and after the reboot select the other user icon and provide the Azure credentials.
After joining to Azure AD, polices you have defined will be applied, such as Multifactor authentication, PIN code etc. Also you can enjoy the single sign on to cloud features like Email default windows App.
Hope this post is useful
Thanks
Asitha De Silva
References
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-whatis
Microsoft ignite Conference 2016
