Join Computer to Azure AD and Simplify Device Management

Author

Reads 933

A Black and White Diagram
Credit: pexels.com, A Black and White Diagram

Joining your computer to Azure AD is a game-changer for device management. With Azure AD, you can manage your devices from a single portal, making it easier to keep your organization's devices secure and up-to-date.

Azure AD offers a range of benefits, including simplified password management and improved security through multi-factor authentication. This allows you to reduce the risk of data breaches and cyber attacks.

By joining your computer to Azure AD, you can also take advantage of features like single sign-on, which allows users to access multiple applications and resources with just one set of login credentials.

Joining Windows 10 to a Domain

Joining Windows 10 to a Domain is a crucial step in setting up your device for Azure AD. To start, you'll need to decide who owns the Windows 10 machine, which will impact the setup process and device configuration.

You can join your Windows 10 machine to Azure AD by clicking the Join Azure AD button and providing your organization's Azure AD ID and password. Alternatively, you can go to Settings –> Accounts –> Work Access and click the Join or Leave Azure AD link.

Credit: youtube.com, How to join a Windows 10/11 computer to Azure AD

To rename your Windows 10 machine before joining Azure AD, click on the Rename PC option on the About page. This is a useful step to ensure your machine name is accurate and consistent.

The Azure AD join wizard will ask you to confirm your organization's name and details. If MFA is not enabled, you'll need to check and confirm this information before proceeding. Once you're sure, click the JOIN button to complete the authentication and AAD join process.

Here are the two ways to join Azure AD with Windows 10:

  • Go to Settings –> Accounts –> Work Access and click the Join or Leave Azure AD link.
  • Go to Settings –> System –> About and join a Windows 10 machine to Azure AD.

After joining Azure AD, you can confirm the join by going to Settings –> Accounts –> Work Access and checking if your organization name shows up. If everything is set up correctly, you should see your organization name listed.

Understanding Azure AD

Azure AD is a cloud-based identity and access management solution provided by Microsoft. It allows users to access and manage their accounts, applications, and devices from anywhere.

Credit: youtube.com, Understanding Azure AD Hybrid Join

Azure AD is integrated with other Microsoft services, such as Office 365 and Intune, to provide a comprehensive identity and access management solution. This integration enables seamless authentication and authorization across multiple platforms.

Azure AD uses a directory service to store user and group information, making it easy to manage access and permissions. This centralized approach simplifies identity management and reduces administrative burdens.

What is Azure AD

Azure AD is a cloud-based identity and access management solution provided by Microsoft. It allows users to access multiple applications and services with a single set of credentials.

Azure AD provides a single sign-on (SSO) experience for users, eliminating the need to remember multiple usernames and passwords. Users can sign in once and access all the applications and services they need.

Azure AD is integrated with Microsoft 365, which includes popular productivity tools like Office 365, Exchange Online, and SharePoint Online. This integration provides a seamless experience for users who already use these tools.

Azure AD also provides advanced security features, such as multi-factor authentication (MFA) and conditional access, to protect user identities and data. These features can be customized to meet the specific needs of an organization.

Is Managed

Credit: youtube.com, Learn Microsoft Azure Active Directory in Just 30 Mins (May 2023)

In Azure AD, the "isManaged" attribute is a crucial piece of information that tells you whether a device is managed or not. Always True for Hybrid Joined devices.

For devices that are Registered and Joined, the "isManaged" attribute needs to be set by a device management application or the AADInternalsSet-AADIntDeviceCompliant function.

Azure AD's device management features are designed to make it easy to manage devices, but it's essential to understand the different types of devices and how they're managed.

Hybrid Joined devices have the "isManaged" attribute set to True by default, making it easier to manage these devices.

Profile Type

Azure AD has different types of devices, and understanding these types is crucial for managing your Azure environment.

The profile type of a device is always RegisteredDevice for Registered and Joined devices.

For Hybrid Joined devices, the profile type is initially empty after syncing from on-prem AD, but it's set to Registered after the actual join.

Single Sign-On

Credit: youtube.com, Authentication fundamentals: Web single sign-on | Microsoft Entra ID

Single Sign-On is a feature that allows users to access multiple Azure AD applications with a single set of credentials.

Devices registered or joined to Azure AD enable Single Sign-On (SSO) through Primary Refresh Tokens (PRTs), which can be created with the device and transport certificates.

The process of creating PRTs is described in an earlier blog post, but it's essential to note that the authentication method used when the device was registered or joined to Azure AD affects the access tokens fetched using the PRT.

If the user was authenticated with MFA, the access tokens will have the MFA claim set, satisfying the MFA requirement of CA policies.

Device Registration and Management

Device registration is the process of enrolling a device in Azure AD, allowing it to access company resources and services. This can be done through Azure AD registration or Azure AD join, with the primary use case of Azure AD registration being to support mobile devices.

Credit: youtube.com, Know your Azure AD Device Identities! Azure AD Registered, AAD Joined, and Hybrid Azure AD Joined

Azure AD registration has five steps, including generating a device key and transport key, requesting an access token, enrolling the device, and returning the device certificate. The registration software generates two keysets, the device key and transport key, which are used to identify and authenticate the device.

To register a device, you can use the Join-AADIntDeviceToAzureAD function in AADInternals, which can register, join, and hybrid join devices to Azure AD. Alternatively, you can use the Azure AD registration process, which involves obtaining an access token and providing the Register as JoinType.

Here is a summary of the differences between Azure AD join and Azure AD registration:

Note that Azure AD registration is supported in AADInternals version v0.4.6 and later, and requires an access token and the Register as JoinType.

Enrolling a Windows 10 Machine in Microsoft Intune

Enrolling a Windows 10 Machine in Microsoft Intune is a straightforward process. You can auto-enroll your devices in Microsoft Intune when you set up auto-enrollment for your organization's AAD tenant. This way, all devices joined to AAD will automatically be enrolled in Microsoft Intune.

Credit: youtube.com, Enroll your Windows 10 device in Microsoft Intune

To enroll a Windows 10 machine in Microsoft Intune, you don't need to install the Intune company portal separately from the Windows store. The device will be enrolled automatically, and its type will be detected as Mobile.

As explained in the article, Microsoft Intune auto-enrollment is a convenient feature that simplifies the process of enrolling devices.

What Is a Device

A device is essentially any electronic or mechanical object that can perform a specific function or set of functions.

Devices can range from simple objects like a toaster or a thermostat to complex systems like a smartphone or a computer.

In the context of device registration and management, a device typically refers to a piece of hardware or software that needs to be registered or managed.

Registration is often required for devices that connect to the internet or a network, such as a router or a smart TV.

Devices that are not registered may not be able to access certain features or services, or may not be able to connect to the network at all.

In some cases, devices may need to be registered with a specific organization or company, such as a school or a business.

This is often the case with devices that are used for work or school purposes, such as a laptop or a tablet.

Registering Devices

Credit: youtube.com, Managed Devices with Microsoft Azure: Joined vs Registered Devices

Registering devices to Azure AD has five steps. The first step is to generate a device key and transport key. The registration software generates two keysets called Device key (dkpub/dkpriv) and Transport key (tkpub/tkpriv), with the private keys stored in the device.

The Device key is used to identify the device, while the Transport key is used to decrypt the session key when requesting the PRT. A certificate signing request (SCR) for “CN=7E980AD9-B86D-4306-9425-9AC066FB014A” (dkpub) is generated with dkpriv.

In the second step, the registration software requests an access token for Azure AD Join. This is done by requesting an access token for appid 1b730954-1685-4b74-9bfd-dac224a7b894 with 01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9 audience.

The third step involves returning the access token. The fourth step is to enroll the device by making a POST request to “https[:]//enterpriseregistration.windows.net/EnrollmentServer/device/?api-version=1.0”. This request includes the TransportKey, JoinType, DeviceDisplayName, OSVersion, CertificateRequest, TargetDomain, DeviceType, and Attributes.

The fifth and final step is to return the device certificate. This includes the signed Device key (dkpub) and its thumbprint, as well as the owner of the device.

Credit: youtube.com, Manage your devices in My Account | Microsoft Entra ID

AADInternals can also register devices to Azure AD with the Join‑AADIntDeviceToAzureAD function. This function can be used to register, join, and hybrid join devices to Azure AD.

The following is a summary of the required parameters for registering devices:

Technical Details

In Azure AD, device objects are stored, and the join type determines the attribute values. The id of the Azure AD device object is a crucial piece of information.

The attribute names are exposed by the Azure Active Directory Graph API, and we can use the api-version=1.61-internal query parameter to access them.

Here's a breakdown of the attribute values for different join types:

The process of joining devices to Azure AD is identical to registering devices.

Solution Setup and Configuration

Before you start setting up the solution, remember that it's not a supported option, so thoroughly vet it before deploying it to any production computers. This means you should weigh the pros and cons and consider all supported alternatives.

Credit: youtube.com, 38. Join Windows 10 to Azure AD using Azure AD Joined Device Method

You should also note that no warranty is expressed or implied, so use this solution at your own risk. This is especially important if you're planning to use it in a production environment.

Before using this tool, please consider all supported options, including hybrid Azure AD Join and performing a wipe and reload. This will help you make an informed decision about which solution is best for your needs.

Solution Setup

Before setting up the solution, it's essential to thoroughly vet it to ensure it meets your needs. This is not a supported solution, so use it at your own risk.

You should consider all supported options, including hybrid Azure AD Join and performing a wipe and reload. This will help you make an informed decision about whether to use the solution.

Remember, no warranty is expressed or implied, so be cautious when deploying it to production computers.

Update MigrationConfig.psd1

Update MigrationConfig.psd1 is a crucial step in the solution setup and configuration process. This file contains several important settings that need to be updated for the migration to proceed smoothly.

Employee Working Through the Tangle of Cables Behind the Computer
Credit: pexels.com, Employee Working Through the Tangle of Cables Behind the Computer

To update MigrationConfig.psd1, you'll need to set UseOneDriveKFM to $True to install OneDrive and enable Known Folder Move in the target tenant. This requires the tenant ID of the target tenant, which must be specified.

The DeferDeadline setting determines the deferral deadline for completing the migration, while DeferTimes allows a user to defer the migration a specified number of times. You can only use one of these deferral options.

The StartBoundary setting determines when the scheduled task will start running to begin the migration. You'll also need to specify the name of the temporary user account that will be created to complete the migration, known as TempUser.

The password for the TempUser account, TempPass, will be created only when the migration begins and will be deleted at the end of the process. This password is required to complete the migration.

If you need to leave the domain, you can specify the DomainLeaveUser, which requires permission to add and remove computers from the domain and delete computer objects. If you specify a DomainLeaveUser, you'll also need to provide the DomainLeavePass.

Here's a summary of the key settings you'll need to update in MigrationConfig.psd1:

Authentication and Security

Credit: youtube.com, Azure AD joined Computer Windows Passwordless Login with Access Card as a FIDO Security Key

Joining a computer to Azure AD brings a new level of security and convenience to your organization. For devices joined to a local Active Directory, an object is created in your on-premises AD DS, used for Identity and Access management (IAM) of your organization’s accounts, user devices, and servers.

This configuration provides users with transparent access to resources using Kerberos Single Sign-On (SSO). However, for remote users, this means they must utilize a VPN or similar means to authenticate and connect to the organization’s on-premises resources.

Azure AD authentication offers a more flexible alternative, requiring only access to authenticate against Azure AD in the cloud.

Authentication

Authentication is a critical aspect of Identity and Access management (IAM) in your organization.

You create an object in your on-premises AD DS for each device joined to a local Active Directory, which provides users with transparent access to resources using Kerberos Single Sign-On (SSO).

For users to logon and authenticate, the device needs network access to a domain controller, unless they've previously cached credentials.

Credit: youtube.com, Authentication, Authorization, and Accounting - CompTIA Security+ SY0-701 - 1.2

Remote users must use a VPN or similar means to authenticate and connect to on-premises resources.

You can issue Primary Refresh Tokens (PRT's) to Azure-AD-joined or hybrid Azure-AD-joined devices to add device-specific claims and provide Seamless Single Sign-on (SSO) functionality to Azure AD resources.

Azure AD authentication doesn't support Kerberos/NTLM authentication and lightweight directory access protocol (LDAP) connections, which may require additional resources and server migrations to Azure.

Azure AD Domain Services (Azure AD DS) provides managed domain services like domain join, group policy, LDAP, and Kerberos/NTLM authentication without deploying, managing, and patching domain controllers.

Conditional Access

Implementing Zero Trust requires Azure AD Conditional Access (CA), which is included in Azure AD Premium P1.

CA allows us to allow or deny access based on device information.

We can require the device to be managed, which means it's either Hybrid Joined or marked as compliant.

Hybrid Joined devices are assumed to be managed by Configuration Manager and/or GPOs.

Other devices can be marked compliant by Mobile Device Management (MDM) system, such as Intune.

The device compliance can be set by AADInternalsSet-AADIntDeviceCompliant function.

However, device compliance can be "faked" depending on the compliance requirements.

Comparisons and Types

Credit: youtube.com, Azure AD Join Types explained - a look at the Intune Portal

Azure AD registration and Azure AD join are two cloud-only options that allow you to manage devices without on-premises infrastructure. The primary use case of Azure AD registration is to support mobile devices, but it can be used for any Bring Your Own Device (BYOD).

Azure AD registration is suitable for BYOD computers and mobile devices, but not for organization-owned computers. On the other hand, Azure AD join is suitable for both cloud-only and hybrid organizations, and is compatible with organization-owned computers.

Here's a summary of the differences between Azure AD registration and Azure AD join:

Azure AD join offers more provisioning options, including self-service settings, bulk enrollment, and domain join via Autopilot. It also supports Windows Hello for Business and FIDO2.0 keys, but not local cached credentials or NTLM.

Removing and Returning Devices

Removing a device from Azure AD is as simple as clicking a few buttons. You can remove a device from Azure AD using the Azure portal by going to the "Devices" page and selecting the device to be removed.

Credit: youtube.com, Domain Join to Cloud Only (AADJ) Migration without Wipe and Load!!

To remove a device from Azure AD, you'll need to know the device's object ID, which can be found in the Azure portal under "Azure Active Directory" > "Devices" > "All devices". This is a crucial step to ensure you're removing the correct device.

Removing a device from Azure AD will also remove the device's access to Azure AD resources, including Azure resources and Microsoft 365 services.

Return

Returning a device is a crucial step in the device management process. To return a device, you'll need to generate a device key and transport key, which are required to complete the return process.

The return process involves several steps, including generating the device key and transport key, requesting an access token, and enrolling the device. The join type for returning a device is different from registering a device, and it's essential to note this difference.

Here's a summary of the return process in four simple steps:

  1. Generate device key and transport key.
  2. Request access token.
  3. Enroll device.
  4. Return device certificate.

Note that the return process is similar to the registration process, with the main difference being the join type. This is reflected in the device data, which includes the "JoinType" field set to 0.

Remove

Credit: youtube.com, How to Remove Old Devices from Google Account !!

Removing a device from your organization's Azure Active Directory (Azure AD) is a straightforward process. You can remove a device from Azure AD if it's no longer needed or if the user is leaving the organization.

Azure AD Registered devices can be removed by the user themselves, but Azure AD Joined devices require administrative privileges to remove. This is because Azure AD Joined devices are more tightly integrated with the organization's Azure AD.

If you're an administrator, you can remove an Azure AD Joined device by going to the Azure AD device management portal and selecting the device to be removed. The device will then be unjoined from Azure AD, and the user will no longer be able to access organizational resources using that device.

Here's a quick checklist to ensure a smooth device removal process:

  • Identify the type of device (Azure AD Registered or Azure AD Joined)
  • Determine who has administrative privileges to remove the device
  • Use the Azure AD device management portal to remove the device

Once a device is removed, it's a good idea to return it to its rightful owner, whether that's the organization or the individual user. This helps maintain a clean and organized IT environment.

Frequently Asked Questions

What do you need to join a device to Azure AD license?

To join a device to Azure AD, you need a Windows 10 Pro, Enterprise, or Education edition device. Azure AD Join requires a specific edition of Windows 10.

How do I connect my computer to Azure?

To connect your computer to Azure, go to Settings > Accounts > Access work or school and follow the prompts to join your device to Azure Active Directory. Restart your computer after completing the setup wizard.

How do you check if a PC is Azure joined?

To check if a PC is Azure joined, open Windows PowerShell and enter the command `dsregcmd /status`, then verify that both AzureAdJoined and DomainJoined are set to YES. This confirms Azure Active Directory (Azure AD) and domain membership.

Judith Lang

Senior Assigning Editor

Judith Lang is a seasoned Assigning Editor with a passion for curating engaging content for readers. With a keen eye for detail, she has successfully managed a wide range of article categories, from technology and software to education and career development. Judith's expertise lies in assigning and editing articles that cater to the needs of modern professionals, providing them with valuable insights and knowledge to stay ahead in their fields.

Love What You Read? Stay Updated!

Join our community for insights, tips, and more.