Join Azure Active Directory with Windows 11

Home Blog Join Azure Active Directory with Windows 11

4sysops - The online community for SysAdmins and DevOps

    , , , ,   0
Most companies' PCs are usually joined to Azure AD ("Entra ID") through a hybrid join, where the on-premises Active Directory (AD) is synchronized with Azure AD. However, if organizations have largely migrated their IT infrastructure to the cloud, PCs can directly join Azure AD. Like on-prem, there are several options for doing so.
Contents
  1. AAD join using provisioning packages
  2. Displaying the status of the AAD join
  3. Log in to Windows with an AAD account
  4. Summary
Latest posts by Wolfgang Sommergut (see all)

Before diving into the process, it's important to understand the distinction between joining and registering. Joining is intended for PCs owned by the company and running Windows 10 or 11. These PCs can be fully managed with policies.

On the other hand, registration is intended for personal (mobile) devices that may run different operating systems. With this approach, you cannot sign in to Windows with your work account, whereas joining allows you to do so.

As with on-prem Active Directory, you also need a user account in the cloud with permission to create a computer object. By default, all users are allowed to connect up to 50 computers to Azure AD.

You can change this setting in the relevant tenant under Devices > Device settings. First, in the section Users may join devices to Azure AD, you can set the slider to Selected and restrict the permission to join to specific accounts or groups.

Through the device settings you can specify who is allowed to connect how many devices to AAD

Through the device settings you can specify who is allowed to connect how many devices to AAD

In addition, you can specify here whether multifactor authentication is required for joining AAD, along with the maximum number of devices that a user may connect to the directory.

Authorized users can now join Azure AD with their devices. This can be done during the initial setup of a newly installed computer during the OOBE phase, when users sign in with their work or school account.

For a post-installation join, the Settings app provides a convenient method. You can access this option under Accounts > Set up a work or school account (in Windows 10, this is labeled Access work or school).

Join Azure AD with a computer using a work school or university account

Join Azure AD with a computer using a work school or university account

Scroll down in the dialog box until you find the link that reads "Join this device to Azure Active Directory." This link is often hidden initially, especially when the Windows font size is increased. Click the link, and it will open the sign-in dialog box for your Azure AD account.

After logging in with the AAD account you still have to confirm the join

After logging in with the AAD account you still have to confirm the join

If you do not follow this link and instead input your email address directly into the corresponding field, the device will not be joined but only registered in Azure AD.

After a successful login to Azure AD, it automatically creates a device identity. This can then be found under Devices > All devices.

The detailed view shows numerous properties, including the IDs, the operating system along with its version, the owner, and the join type (i.e., whether the device has joined AAD or is only registered there).

Properties of the newly added device

Properties of the newly added device

The process can be reversed easily by the user who initiated the join. In the Settings app, at the same location, simply click the Disconnect button. After a confirmation prompt, the join will be undone, and the device will be removed from Azure AD.

Removing a computer from Azure AD

Removing a computer from Azure AD

AAD join using provisioning packages

An alternative option for automated and bulk Azure AD joining is provided by provisioning packages (.ppkg). You can integrate them into the OS image before deployment or distribute them in a way that allows users to execute the file with a simple double click.

To create such a package, the Windows Imaging and Configuration Designer (ICD) from the Windows ADK is the tool to use. The entire step-by-step workflow is comprehensively detailed in this Microsoft Tech Community article.

For this task, run the wizard Provision desktop devices on the tool's home page. After you create the project, proceed through the first three steps until you reach the Account management section.

Create a project in ICD and start the wizard to deploy desktop devices

Create a project in ICD and start the wizard to deploy desktop devices

In the wizard, select the Enroll in Azure AD option, and click Get Bulk Token. This action opens the dialog for Azure AD sign-in, where you input the user information responsible for executing the join. Additionally, you have the option of customizing the token's expiration time.

Get a bulk enrollment token in ICD

Get a bulk enrollment token in ICD

If you're lucky, the notoriously unreliable ICD will deliver the token you need. However, chances are that you will only see the message "Error retrieving bulk token."

For these cases, former Microsoft manager Michael Niehaus has developed a PowerShell script that retrieves the token using the AADInternals module. Nevertheless, ICD still needs to be installed as it is required to wrap the script-generated XML file into a provisioning package.

Displaying the status of the AAD join

After a computer joins Azure AD, you can verify the success of the operation. On the cloud side, this can be accomplished easily by checking the overview under Devices > All devices.

The newly added device should now appear in the overview

The newly added device should now appear in the overview

On the client, you can retrieve details about join statuses using the dsregcmd utility:

dsregcmd.exe /status

This command also provides a lot of information about the tenant, SSO status, and diagnostic data.

Dsregcmd outputs a lot of information about AAD integration

Dsregcmd outputs a lot of information about AAD integration

Log in to Windows with an AAD account

After a successful AAD join, you can log in to Windows using your work account. To do so, enter the account's principal name (email address).

Logging on to Windows 11 with the AAD work account

Logging on to Windows 11 with the AAD work account

On Windows 10, you might encounter login issues. If so, you can prefix the email address with "AzureAD," for example, AzureAD\djoin@contoso.onmicrosoft.com.

Summary

In purely cloud-based environments without a local Active Directory, you can authenticate users against Azure AD and integrate Windows PCs into the cloud directory.

Joining Azure AD requires that respective users have the necessary permissions, which are typically set by default. The join process can be completed on a new computer during the OOBE phase or through the Settings app.

However, users need to be cautious and follow the link "Join this device to Azure Active Directory." If they sign in directly in this dialog box, the device will only be registered in Azure AD.

Subscribe to 4sysops newsletter!

For bulk operations, Microsoft provides provisioning packages that are created using ICD. These packages can be integrated into the OS image before deployment or left to end users to execute.

Related Articles
0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account