Join Server to Azure AD with Azure AD Device Join

Azure AD Device Join is a convenient way to join a server to Azure AD. It allows you to manage devices and users in one place.

This method eliminates the need for a domain join, which can be complex and time-consuming.

You can use Azure AD Device Join with Windows Server 2019 and later versions.

This process involves registering the device with Azure AD and then enrolling it into a hybrid Azure AD-joined domain.

Before you start the process of joining your server to Azure AD, make sure you have the necessary setup in place. You already have an Azure AD tenant, which is a requirement for this process.

To ensure a smooth experience, you'll need to have the correct licensing enabled for your Azure AD tenant. This will give you access to the necessary features and tools.

You're also going to need to use Microsoft Intune for device management, or a third-party MDM provider like VMware Workspace ONE. Co-management with SCCM is still an option for AAD joined devices.

Having a "Hybrid" Azure setup with your on-premises AD is also a requirement. This means you're syncing users into Azure AD from your on-prem AD.

Here's a quick rundown of the necessary setup:

Joining devices to Azure AD is a crucial step in integrating your on-premises environment with the cloud. You can use AADInternals to register, join, and hybrid join devices with Azure AD using the Join-AADIntDeviceToAzureAD function.

AADInternals version v0.4.6 and later supports registering devices to Azure AD, which requires obtaining an access token and providing Register as JoinType. This allows devices to be registered and connected to Azure AD.

There are multiple ways to hybrid join devices to Azure AD, including creating a device object on-premises, syncing it to Azure AD, and then hybrid joining it. Alternatively, you can use the Join-AADIntOnPremDeviceToAzureAD function to create device objects directly in Azure AD.

Joining devices to Azure AD can be done through various methods. AADInternals is a tool that can register, join, and hybrid join devices to Azure AD using the Join‑AADIntDeviceToAzureAD function.

There are three different join types, but all device certificates are technically identical. Hybrid joining requires a device object to exist in Azure AD.

To hybrid join a device, you need a SAML token, which can be created using the token signing certificate and issuer uri of the identity provider. The issuer uri can be obtained by running a cmdlet on the AD FS server.

You can create a device object on-prem AD, sync it to Azure AD, and then hybrid join it. This process involves creating a self-signed certificate for the device using AADInternals and setting its public key to the userCertificate attribute of the computer object.

AADInternals can also create device objects directly to Azure AD using the Join‑AADIntOnPremDeviceToAzureAD function. This function uses the same API as Azure AD Connect and requires a Global Admin or Directory Synchronization Accounts role.

There are two options for hybrid joining a synced device: using a self-signed certificate or creating a device object directly to Azure AD.

Device Id is a key attribute when it comes to Azure AD device objects.

The device id attribute of the Azure AD device object is essentially the same as the objectGuid of the on-prem AD device object for Hybrid Joined devices.

Device objects are stored to Azure AD. The id of the Azure AD device object is a key attribute. Devices with different Join Type as seen in Azure AD portal are registered in the same process.

Device objects in Azure AD are exposed by the Azure Active Directory Graph API with api-version=1.61-internal query parameter.

To set up an Azure AD joined system, you can either use the user-driven scenario or generate a "bulk" token from Azure and put it into a Provisioning Package (PPKG). This method allows you to pre-Azure AD join devices and ship them to users, who will then be able to boot up and login without having to go through the out-of-box experience (OOBE).

You can also configure Azure AD Connect to join devices to Azure AD. To do this, open Azure AD Connect and select the "Configure device options" option. From there, you can choose which forests to configure and select Azure Active Directory as the Authentication Service.

Setting up Hybrid Azure AD join is another option, but it's not recommended as it doesn't take full advantage of the cloud. Instead, consider using the user-driven scenario with Autopilot or generating a bulk token for a more streamlined experience.

To configure Hybrid Azure AD join, you'll need to select Configure Hybrid Azure AD join. This will get you started on the process of setting up your Hybrid Azure AD joined device.

You'll also need to have access to both an on-prem Administrator and an Azure AD Global Administrator. If you want to test your Hybrid Azure AD joined device further, an Intune license is needed.

To configure Azure AD Connect, open it up and navigate to the Configure device options section. Choose Azure Active Directory as Authentication Service and click Add to add your on-prem administrator.

You can then select the forests you want to configure in the SCP configuration screen. After that, you'll be able to choose which Windows versions you want to configure, such as Windows 10 devices.

To check if your device is hybrid joined, open the command prompt and enter: dsregcmd /status. If it says AzureAdJoined : YES, then you're halfway there!

Registering devices to Azure AD is a crucial step in the setup process. You can register devices using the AADInternals tool, which supports registering devices in version v0.4.6 and later.

To register a device, you need to obtain an access token and provide Register as JoinType. The AADInternals tool can register, join, and hybrid join devices to Azure AD with the Join‑AADIntDeviceToAzureAD function.

Here are the steps to register a device using AADInternals:

Alternatively, you can also use the Azure portal to register devices. However, AADInternals provides a more convenient and efficient way to register devices.

It's worth noting that devices are a crucial part of Microsoft's Zero Trust concept. By registering devices, you can ensure that they are properly secured and managed within your Azure AD environment.

When setting up your device, it's essential to understand the profile type. The profile type is always "RegisteredDevice" for Registered and Joined devices.

For Hybrid Joined devices, the profile type is initially empty after syncing from on-prem AD, but it's set to "registered" after the actual join.

To use Remote Desktop, you need to add specific lines to the RDP file. Create a save “.rdp” file and open it up in notepad, then add these two lines to the end: enablecredsspsupport:i:0 and authentication level:i:2.

Make sure to uncheck the option that says "Allow connections only from computers running Remote Desktop with Network Level Authentication". This will allow you to connect remotely.

When connecting, use the format AzureAD\[email protected] for the username. This is the correct format to use.

You can manage local group membership via Intune policy to configure groups to be added to the local administrators group. This is done by going to Endpoint Security > Account Protection and creating a profile for "Local user group membership".

To add or remove groups, you can choose from three options: Add (Replace), Remove (Update), or Add (Update). These options allow you to specify the groups you want to add or remove.

You can configure this to automatically add one or more groups to the local administrators group via Intune policy. This is a convenient way to manage local group membership without having to manually add or remove groups.

The groups you specify can be Azure AD cloud groups or groups synced from on-prem AD. This flexibility allows you to manage your local group membership across different environments.

Device Role is a viable option for granting local admin rights, but it comes with limitations. There is a role called Azure AD Device Administrators Role that can be leveraged for this purpose.

To activate this role, you need to use Privileged Identity Management, which is a requirement. This process is not feasible in all environments, as it proved to not be workable in the author's environment.