Device Is Joined to Azure AD: Understanding the Process

When a device is joined to Azure AD, it's essentially a two-way conversation between the device and the Azure AD service. This process is initiated by the user, who must have the necessary permissions to enroll the device.

The device needs to be online and connected to the internet to proceed with the joining process. Azure AD will then authenticate the device and verify its identity.

Once the device is authenticated, Azure AD will assign a unique identifier to it, known as a device ID. This ID is used to track the device's activity and manage its access to Azure AD resources.

During the joining process, the device must be configured to trust the Azure AD certificate, which is used to establish a secure connection between the device and Azure AD.

Azure AD is a cloud-based identity and access management solution that allows you to manage user access to your organization's resources.

It's a centralized platform that enables single sign-on, multi-factor authentication, and conditional access to protect your organization's data.

Azure AD is integrated with a wide range of applications and services, including Microsoft 365, Office 365, and Dynamics 365.

To join a device to Azure AD, you need to enroll it in the Azure AD Join process, which involves registering the device with Azure AD.

This process allows the device to access Azure AD resources and receive updates and security patches from Microsoft.

Azure AD Join requires a valid Azure AD account and a device that meets the system requirements.

The device must also be running a supported operating system, such as Windows 10 or later, or macOS High Sierra or later.

Azure AD is the cloud-based version of Active Directory, allowing you to manage users, groups, and devices in the cloud.

Azure AD is designed to provide a more scalable and flexible solution compared to on-premises Active Directory.

You can join a device to Azure AD, which enables single sign-on and conditional access to cloud applications.

The main difference between Azure AD and Active Directory is that Azure AD is cloud-based, whereas Active Directory is on-premises.

Joining a device to Azure AD requires a Azure AD account and a device that meets the system requirements.

Azure AD provides features such as multi-factor authentication, self-service password reset, and privileged identity management, which are not available in on-premises Active Directory.

Azure AD authentication offers a convenient way to access resources without the need for a domain controller. For remote users, this means they can authenticate and connect to on-premises resources using a VPN.

Azure AD authentication has some unique challenges, including the lack of support for Kerberos/NTLM authentication and lightweight directory access protocol (LDAP) connections. This may require additional resources and possible server migrations to Azure.

To add device-specific claims and provide Seamless Single Sign-on (SSO) functionality to Azure AD resources, you can issue Primary Refresh Tokens (PRTs) to Azure-AD-joined or hybrid Azure-AD-joined devices.

Azure AD DS provides managed domain services, including domain join, group policy, LDAP, and Kerberos/NTLM authentication, without the need to deploy, manage, and patch domain controllers.

Azure AD Provisioning is a game-changer for organizations of all sizes. You can auto-configure devices using Autopilot or through an Out of Box Experience (OOBE) to make device setup a breeze.

This means that end-users can easily set up their devices without requiring an administrator's password. Self-service options are a huge time-saver and reduce the administrative burden on IT teams.

With Azure AD Provisioning, you can also deploy software through the Company Portal, making it easy to get devices up and running quickly. This is especially useful for organizations with a large number of devices to provision.

Provisioning is a crucial step in Azure AD provisioning, allowing you to hand off devices to end-users with ease.

You can auto-configure devices using Autopilot or through an Out of Box Experience (OOBE), making it a more efficient process.

This means you can choose to utilize self-service options that no longer require an administrator's password, giving users more autonomy.

By using the Company Portal, you can deploy software directly to devices, streamlining the provisioning process.

In a controlled environment, administrators can exclusively manage device provisioning, ensuring a more secure and predictable outcome.

In the join phase of Azure AD provisioning, you'll want to pay attention to the "Previous Registration" subsection in the "Diagnostic Data" section of the join status output. This section is only displayed if the device is domain-joined and is unable to Microsoft Entra hybrid join.

The "Registration Type" field in this section denotes the type of join. If you're seeing a "DirectoryError" with a server error code of "DirectoryError" and a server error message of "Your request is throttled temporarily. Please try after 300 seconds", it's likely because multiple registration requests were made in quick succession.

To resolve this issue, simply retry the join after the cool-down period.

If the join failed, you can find the phase in which it failed and the error code by looking at the "Error Phase" field and "Client ErrorCode" field in the "Previous Registration" subsection. Alternatively, you can use Event Viewer logs to locate the phase and error code for the join failures.

Synced devices can be created in on-prem AD and then synced to Azure AD, allowing for hybrid joining.

To start the sync process, run the cmdlet after creating the device object in on-prem AD. This cmdlet initiates the sync, making the device appear in Azure AD.

The sync process generates a certificate that is also exported to a file. This certificate will be used later for hybrid joining.

To get the tenant ID, you'll need to use the generated certificate, along with the computer's name and SID. This information is required for hybrid joining.

AADInternals can also be used to create device objects directly in Azure AD, eliminating the need for on-prem AD syncing. This method uses the same API as Azure AD Connect.

If you're considering joining a device to Azure AD, you have three main options: traditional AD join, hybrid Azure AD join, and Azure AD join.

Azure AD join is suitable for cloud-only organizations, while traditional AD join and hybrid Azure AD join are suitable for hybrid organizations.

The type of device you want to join Azure AD with matters, too. Organization-owned computers can be joined to Azure AD using all three options, but BYOD computers and mobile devices are only suitable for Azure AD join.

Windows 7 and 8.1, Windows 10 and 11, and 2008R2, 2012R2, 2016 & 2019 servers can be joined to traditional AD and hybrid Azure AD, but not Azure AD. Windows 10 and 11, and 2019 VMs in Azure can be joined to Azure AD, but not traditional AD or hybrid Azure AD.

When it comes to provisioning options, Azure AD join offers more flexibility, including self-service settings, out-of-box experience (OOBE), and bulk enrollment. However, traditional AD join and hybrid Azure AD join have their own strengths, such as domain join via Autopilot and domain join via MSI.

The authentication options also vary between the three options. Azure AD join supports password, Windows Hello for Business, PIN, biometrics or pattern, and FIDO2.0 security keys, while traditional AD join and hybrid Azure AD join support password, Windows Hello for Business, PIN, biometrics or pattern, and local cached credentials.

Here's a summary of the differences between the three options:

Azure AD Types are crucial to understand when a device is joined to Azure AD. There are three main types: Registered, Joined, and Hybrid Joined.

A Registered device is typically personally owned or mobile and is signed in with a personal Microsoft account or another local account. This type of device is not owned by an organization.

A Joined device, on the other hand, is owned by an organization and is signed in with an Azure AD account belonging to that organization. These devices exist only in the cloud.

A Hybrid Joined device is a combination of the two, owned by an organization and signed in with an Active Directory Domain Services account belonging to that organization. They exist in both the cloud and on-premises.

Here is a summary of the three Azure AD types:

Azure AD Types can be a bit confusing at first, but let's break it down. There are three main types: Registered, Joined, and Hybrid Joined.

A Registered device is typically a personally owned or mobile device signed in with a personal Microsoft account or another local account.

Here's a quick rundown of the join types:

A Joined device is owned by an organization and is signed in with an Azure AD account belonging to that organization. They exist only in the cloud.

Hybrid Joined devices are owned by an organization and are signed in with an Active Directory Domain Services account belonging to that organization. They exist in the cloud and on-premises.

Profile Type is always RegisteredDevice for Registered and Joined devices.

For Hybrid Joined devices, the profile type is initially empty after syncing from on-prem AD, but it's set to registered after the actual join.

Azure AD uses a concept called "hybrid join" to allow devices to be joined to Azure AD. This involves synchronizing on-premises Active Directory with Azure AD.

Azure AD uses a service called Azure AD Connect to synchronize user and group information between on-premises Active Directory and Azure AD. This service is responsible for managing the hybrid join process.

Azure AD uses a protocol called Kerberos to authenticate devices that are joined to Azure AD. This protocol ensures that devices can securely access Azure AD resources.

Azure AD join allows organizations to manage corporate-owned devices by joining the device directly to their Azure AD and enabling logins with the users Azure AD account.

If you're already using Azure AD Connect, your hybrid Azure-AD-joined devices were likely auto-provisioned with the Windows Autojoin feature.

Azure-AD-joined devices can be managed using Microsoft Intune, providing users with access to the Intune Company Portal app for secure management of corporate apps, data, and resources.

Hybrid Azure AD joined devices rely on traditional on-premises Active Directory Domain Services for Identity and Access management and are also registered with Azure AD.

Azure-AD-registered devices are neither AD-joined nor Azure-AD-joined but are simply registered with your Azure AD for device settings and software deployment.

Azure AD registration is often used for "bring your own device" (BYOD) policies, allowing organizations to manage device settings and software for devices owned by either the organization or the user.

You can instruct end-users to perform an Azure AD join on an existing device by opening Start > Settings > Access work or school > Connect.

The device's join status can be evaluated using the dsregcmd /status command, which provides the current Primary Refresh Token (PRT) status in the "SSO state" section.

Azure AD device objects have an objectId attribute that uniquely identifies the device.

For Hybrid Joined devices, the Azure AD device object's objectGuid equals the on-prem AD device object's objectGuid.

The device id attribute of the Azure AD device object is also equal to the objectGuid of the on-prem AD device object for Hybrid Joined devices.

The userCertificate attribute of the device from the on-prem AD object is a public key with a subject name that equals the objectGuid of the on-prem AD device object for Hybrid Joined devices.

The security identifier (SID) of the on-prem AD device object is only set for Hybrid Joined devices and is referred to as onPremisesSecurityIdentifier.

Here are the fields that can be used to evaluate the join status of a device:

Azure AD Registration is a crucial step in joining a device to Azure AD. This process involves several steps, including generating device keys and requesting an access token.

To start, the registration software generates two keysets: Device key (dkpub/dkpriv) and Transport key (tkpub/tkpriv). The private keys are stored in the device, with the Device key used to identify the device and the Transport key used to decrypt the session key.

The next step is to request an access token for Azure AD Join, which involves sending a certificate signing request (SCR) for the Device key. The access token is then used to enroll the device in Azure AD.

Here are the key steps in the registration process:

Azure AD registration is often confused with Azure AD join, but they're not the same thing. In fact, they have different use cases and requirements.

For instance, Azure AD registration is primarily used for mobile devices, but it can also be used for BYOD (Bring Your Own Device) computers. On the other hand, Azure AD join is typically used for organization-owned computers.

Here's a breakdown of the differences:

As you can see, Azure AD registration offers more flexibility when it comes to supported devices and operating systems. It's also a good option for organizations that want to provide a more user-friendly experience for their employees.

However, Azure AD join is a better choice for organization-owned computers, as it provides more robust management and provisioning options. Ultimately, the choice between Azure AD registration and Azure AD join depends on your organization's specific needs and requirements.

Registering devices to Azure AD is a crucial step in the Zero Trust concept, and it's supported in AADInternals version v0.4.6 and later.

The process involves generating a Device key and Transport key, which are used to identify the device and decrypt the session key, respectively. A certificate signing request (CSR) is generated for the Device key, and the private key is stored in the device.

To request an access token for Azure AD Join, you'll need to use the appid 1b730954-1685-4b74-9bfd-dac224a7b894 with the audience 01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9.

The registration software makes a POST request to the Azure AD enrollment server, providing the Transport key, JoinType, and other device details.

The response contains the signed Device key and its thumbprint, as well as the owner of the device.

Here are the required parameters for the POST request:

Azure AD Federation is a crucial component of the hybrid join process. To hybrid join a device, you'll need a SAML token, which requires the token signing certificate and the issuer URI of the identity provider.

To obtain the token signing certificate, you can export it from AD FS using AADInternals. The issuer URI can be obtained by running a cmdlet on the AD FS server.

Azure AD Federation enables seamless integration between your on-premises AD FS environment and Azure Active Directory.

Azure AD Federation allows for a range of device trust types, each with its own characteristics.

DeviceTrustType indicates whether the device is synchronized from the on-prem AD or not, and is true for Hybrid Joined devices.

In Azure AD Federation, the DeviceTrustType is a crucial factor in determining how devices interact with the system.

Federation is a crucial part of Azure AD, allowing you to connect with other identity providers and enable hybrid joining of devices.

To hybrid join a device with federation, you'll need a SAML token, which can be created using the token signing certificate and issuer URI of the identity provider.

The token signing certificate can be easily exported from AD FS using AADInternals, making it a convenient process.

To get the issuer URI, run a specific cmdlet on the AD FS server, which will provide the necessary information.

Once you have both the certificate and URI, you're ready to hybrid join the device.

Here are the key components involved in hybrid joining with federation:

To join your Windows 10 device to Azure AD, you can follow these steps. Open Settings and select Accounts, then choose Access work or school and select Connect.

You'll be prompted to enter your email address and password on the Set up a work or school account screen. Type your email address and select Next, then enter your password and select Sign in.

On your mobile device, approve your device so it can access your account. This is a security measure to ensure that only authorized devices can connect to your Azure AD account.

To decide who owns the Windows 10 machine, you'll need to choose between joining Azure AD or a domain. This decision will impact your device's overall configuration and management.

To enroll a Windows 10 machine in Microsoft Intune, you can set auto-enrollment for your organization's AAD tenant. This will automatically enroll devices joined to AAD in Microsoft Intune.

Here's a summary of the steps to join your Windows 10 device to Azure AD:

In Azure AD, the "Is Managed" attribute plays a crucial role in determining the level of management a device has. Always True for Hybrid Joined devices.

For Registered and Joined devices, the attribute needs to be set by a device management application. This is a requirement for these types of devices to be considered managed.

Azure AD provides a function called AADInternalsSet-AADIntDeviceCompliant to set the "Is Managed" attribute. This function is useful for administrators who need to manage devices programmatically.

The "Is Managed" attribute is essential for device management in Azure AD.

Configuring Windows 10 involves joining the device to Azure Active Directory (AAD), which allows for seamless integration with Microsoft cloud services.

You can join an already configured Windows 10 device by following these steps: open Settings, select Accounts, and then Access work or school. Select Connect, and then Join this device to Azure Active Directory.

To enter your organization's Azure AD, you'll need to provide a Work or School ID for Office 365 or any other Microsoft cloud or business solutions. This could be your Azure AD user ID and password.

You can also join Azure AD with Windows 10 by going to Settings –> Accounts –> Work Access and clicking the Join or Leave Azure AD link. Alternatively, you can go to Settings –> System –> About and join a Windows 10 machine to Azure AD.

To confirm your Azure AD join, go to Settings –> Accounts –> Work Access and check whether your organization name shows up there.

If you're experiencing issues with your device being joined to Azure AD, don't worry, we've got you covered. To start troubleshooting, you can use the dsregcmd /status command to retrieve the PRT status. This will provide you with the current PRT status in the "SSO state" section.

Run the command in the context of the logged-in user and check if the AzureAdPrt field is set to NO. If it is, there was an error acquiring the PRT status from Microsoft Entra ID.

Look for events with the following event IDs in the Event Viewer logs: 304, 305, and 307. These events are stored under Applications and Services Log > Microsoft > Windows > User Device Registration.

If the AzureAdPrtUpdateTime is more than four hours, there's likely an issue with refreshing the PRT. Lock and unlock the device to force the PRT refresh.

Common sub-error codes for configuration errors include HTTP errors returned from the DRS server.

To find the phase in which the join failed, and the error code, look for the "Previous Registration" subsection in the "Diagnostic Data" section of the join status output. This section is displayed only if the device is domain-joined and unable to Microsoft Entra hybrid join.

Here are some possible reasons for failure:

Network errors:

HTTP errors

Federated join server errors

Sync-join server errors