For up-do-date information on signing into your Windows 10 account with your Azure AD account, please see documentation on usage scenarios and deployment considerations for Azure AD Join.
Today we’re continuing the series on the exciting Azure AD capabilities you’ll find in Windows 10. This third post follows the overview of the series, Bringing the cloud to enterprise desktops, and a deep dive into Azure AD on Windows 10 Personal Devices. This next engineering post is written by Gary Henderson a Principal Program Manager on my team. Gary will focus on the benefits, process, and management of devices which are joined to Azure AD. Read on and enjoy!
Brad Anderson also has a blog post today on how Azure AD and Intune work together to provide an awesome experience on Windows 10 devices that are joined to Azure AD. I’d recommend checking it out.
And as always, we’d love to hear your feedback on this so please fire away in the comments section.
Alex Simons (Twitter: @Alex_A_Simons)
Director of Program Management
Microsoft Identity and Security Division
I’m Gary Henderson, and I’ve been working on bringing Azure AD scenarios to life in Windows 10. Today, I’m going to focus on the ability to sign in to Windows 10 with your Azure AD account.
To do that, I’ll be covering these details of joining a device to Azure AD:
- Self-provisioning of corporate owned devices
- Use existing organizational accounts to sign in
- Single Sign-On (SSO) to company resources in the cloud
- Single Sign-on to on-premises resources
Azure AD join sweet spots
The first question customers ask about Azure AD join is “How is this different from domain join?” Domain join gets you the best on-premises experiences on devices capable of domain joining, while Azure AD join is optimized for users that primarily access cloud resources. Azure AD Join is also great if you want to manage devices from the cloud with a MDM instead of with Group Policy and SCCM. (Note: The experience accessing cloud resources from domain joined devices is going to be awesome Windows 10. We’ll have another blog post specifically about this topic soon.)
Let’s take a deeper look at some common deployment scenarios.
Scenario 1: Your apps and resources are largely in the cloud
If you are moving your organization to the cloud and using SaaS apps like Office365 for productivity, you should consider Azure AD Join. Employees can join Windows 10 devices to Azure AD by themselves during the first-run experience or from the System Settings. And signing in to Windows 10 using their Azure AD credentials gets them single sign-on to Office365 and any other applications that use Azure AD for authentication – including the Azure AD Access Panel (at myapps.microsoft.com).
Scenario 2: Seasonal workers and Students
We’ve learned from our customers in retail and educational institutions that they need a way to manage two types of user identities: Long term employees like faculty and/or corporate staff, and high turn-over identities for students or seasonal workers. For these customers, a mixed model is ideal. They can continue manage long term employee’s on-premises using Windows Server AD (connected to Azure AD). And they can managed their high turn-over identities in the cloud using Azure AD. This lets them take advantage of the scale out and cost benefits of the cloud. Now with Azure AD in Windows 10 these cloud only users will get the same great SSO to their PC’s and Office365 and other cloud resources that had previously only been available to on-premises users.
Scenario 3: Choose your own device for on-premises users
Even where users are provisioned only in your on-premises directory, they get a simplified joining experience for Windows 10 devices that they purchase themselves. And as an admin you can still take advantage of the automatic MDM enrollment and conditional access offered by Azure AD. Users get single sign-on to Azure AD-backed resources and to a wide selection of on-premises resources as well.
Let’s get set up!
The first task is of course to get users provisioned in Azure AD. As you probably know there are several ways to do this – including manual provisioning, bulk importing and synchronization from your on-premises Active Directory. I’m assuming you’ve already completed this step.
Now you need to enable user to join their devices to Azure AD in the Azure Admin Portal:
Enabling Azure AD Join
You can also configure the following options:
Maximum number of devices per user
- Designate the maximum number of devices a user can have in Azure AD. If a user reaches this quota, they will not be able to add additional devices until one or more of their existing devices are removed.
Require muti-factor authentication to join devices
- Enable when users should provide a second factor of authentication in order to join their device to Azure AD.
Additional administrators on Azure AD Joined devices:
- With Azure AD Premium or the Enterprise Mobility Suite (EMS), you can choose which users are granted local administrator rights to the device.
Note: Global Administrators and the device owner are granted local administrator rights by default.
Now what do users do?
Users have a couple of options to get devices joined to Azure AD. The most likely scenario is a user receiving a new Windows 10 device and joining it to Azure AD during the first-run experience that Ariel blogged about. Users upgrading to Windows 10 can also join their devices to Azure AD through System Settings. This scenario commonly starts as users logged in using a local account.
This sign in experience includes all steps in order to complete authentication. Users provide their Azure AD account credentials in the form of firstname.lastname@example.org. The user must also complete the multifactor authentication challenge (if required).
After Azure AD join completes, the user must sign out of the local user account and click the Other User tile to sign in with an Azure AD credential.
After sign in, the user gets access to cloud and on-premises resources. The user’s name is displayed in the Start Menu.
Now let’s see an experience like launching the Mail application.
The Mail application automatically recognizes the signed in user and opens the Office 365 hosted inbox. In fact any application written to use the Web Account Manager will automatically recognize the signed in user.
Users can also get SSO to applications published in the Azure AD Access Panel. And users going to web applications like http://portal.office.com, Outlook Web Access and SharePoint Online in the Edge browser get no extra prompts for authentication.
Managing devices in you organization
Managing devices joined to Azure AD is very easy. The Azure Admin Portal displays the devices each user has joined to Azure AD. Devices can be deleted or blocked here. Additional capabilities like pushing policies and software is available when the device is managed by Intune or another MDM.
Questions and Feedback
The ability to join Windows 10 devices to Azure AD and much more is available through the Windows 10 Technical Preview and the Windows 10 Enterprise Technical Preview. We’re looking forward to your feedback and suggestions on these capabilities!
Gary Henderson (Twitter: @jeepocalypse)
Principal Program Manager
Microsoft Identity and Security Services Division