- Install Ansible on Windows - Thu, Jul 20 2023
- Use Azure Bastion as a jump host for RDP and SSH - Tue, Apr 18 2023
- Azure Virtual Desktop: Getting started - Fri, Apr 14 2023
Imagine your business uses Active Directory Domain Services (AD DS) locally for user, server, and endpoint management. Over the past year, your team has made inroads into Microsoft Azure by implementing Azure AD Connect to synchronize AD domain user and computer accounts into your organizational Azure AD tenant.
Moreover, you've given your local AD users single-sign on (SSO) to your Azure AD-backed cloud applications. This year, you have two new goals to achieve:
- Configure some Azure-based Windows Server 2019 virtual machines (VMs) for Azure AD sign-in
- Give employees the ability to access Azure cloud apps and cloud-stored data on their personally owned devices.
Let's tackle the user access problem first, and then we'll cover Azure AD sign-in to Azure VMs.
Azure AD Registration
Bring Your Own Device (BYOD) is a challenging scenario, for sure. You want to give employees the ability to access corporate apps and data securely on their own personal devices, be they Windows 10/macOS computers or iOS/Android smart phones. Because IT doesn't own these devices, we are heavily limited in how many security controls we can implement.
For BYOD, Azure AD gives us Azure AD registration. An Azure AD-registered device is "lightly managed" by Azure AD admins. Users here can sign in to their device by using either a local device ID (for instance, their Apple account on an iOS device) or their Azure AD identity.
While Azure AD Premium gives Azure AD registered or joined devices SSO to your cloud apps, you'll need a first- or third-party mobile device management (MDM) product to enforce policies such as data encryption, remote wipe, and so on.
Microsoft's primary MDM tool is Microsoft Intune. Intune is part of a larger Microsoft MDM platform called Microsoft Endpoint Manager.
Let me walk you through one way to register an endpoint device with Azure AD. In this example, we'll register an Apple iPhone with my TIMW.INFO Azure AD organization.
NOTE: As is typical with Microsoft technologies, there exist several methods to register and/or join a device to Azure AD. The specific steps depend on the endpoint type, how much automation is required, and whether you're onboarding the endpoint from the server or the client.
First, I'll install the Microsoft Authenticator mobile app, open Settings, tap Device Registration, and sign into my directory. In the following composite screenshot, you can see me register my fictional test user Pramod's iPhone.
Registering an iOS device with Azure AD
Look at the right-most image in the previous screenshot. That's the MyApps Portal, the web portal where your users gain SSO to your cloud apps.
As shown in the next screenshot, you can verify the Azure AD-registered device on the Devices blade in the Azure AD portal.
Verifying device registration
Windows-based endpoints registered with Azure AD can store their BitLocker recovery keys in Azure AD. However, deep corporate endpoint management requires both Azure AD join and Microsoft Intune.
Azure AD Join
Azure AD join is your option for the corporate owned, personally enabled (COPE) endpoint device scenario. Because the endpoint is corporate owned, you can enforce policy that wouldn't work with personally owned devices.
Whereas Azure AD registration and Intune management work with macOS, iOS, and Android, Azure AD join requires a Windows-based client or server system.
Listen up, this is important: on Azure AD joined devices, the user must sign in to the device with their Azure AD account only. In the next example, let's join my Windows 10 workstation to my Azure AD tenant.
First, I'll open Settings > Access work or school, and click Connect. Look at the next screenshot. If you enter your email address under Set up a work or school account, you will simply register your Windows 10 device (or, alternatively, enroll in your company's Intune subscription). We don't want that now.
Joining a Windows 10 endpoint to Azure AD
To join Azure AD, click Join this device to Azure Active Directory at the bottom of the dialog box. Sign in with your Azure AD credential, and once you're finished, go ahead and sign in to the workstation with your Azure AD credential.
Again, Microsoft knows that it needs to provide for administrative automation. Thus, you can also configure Azure AD join through Microsoft Intune bulk enrollment or Windows Autopilot.
It seems to me that you'll probably want to embrace Microsoft Intune if you have Azure AD joined devices so you can centralize your security and access policies. The following screenshots show my Windows 10 device from the perspective of (a) Azure AD and (b) Microsoft Intune.
Viewing an Azure AD joined device in the Azure portal
Viewing a managed device in the Microsoft Endpoint Manager portal
Another product you should know about if you're using Azure AD join with Intune is the Microsoft Intune Company Portal. This is a self-service app portal available for both Windows 10 and mobile devices that serves as an authorized application installation, access, and management tool.
Microsoft Intune Company Portal as seen from a Windows 10 device
With regard to Azure AD sign-in for Windows Server 2019 VMs in Azure, Azure AD join is a prerequisite. You can automate the join process by running the following PowerShell against your Azure VMs:
$vmName = "azurevm001"
$vmRgName = "4sysops-rg"
$extensionName = "AADLoginForWindows"
$publisher = "Microsoft.Azure.ActiveDirectory"
$vm = Get-AzVm -ResourceGroupName $vmRgName -Name $vmName
Set-AzVMExtension -ResourceGroupName $vmRgName `
-VMName $vm.Name `
-Name $extensionName `
-Location $vm.Location `
-Publisher $publisher `
-Type "AADLoginForWindows" `
-TypeHandlerVersion "0.4"
Hybrid Azure AD join
Hybrid Azure AD join is aimed at businesses that want to manage company-owned devices locally with System Center Configuration Manager or Group Policy, but that need SSO to cloud apps and perhaps some help with Intune.
Because this is Azure AD join, we're talking here only about Windows-based endpoints. Hybrid Azure AD join requires that you deploy Azure AD Connect to replicate local Active Directory user and computer accounts to Azure AD.
The following screenshot shows some of how you can configure automatic Azure AD join in Azure AD Connect.
Provisioning hybrid Azure AD join in Azure AD Connect
Wrap-up
I hope that I successfully got you started in your Azure MDM journey. As you know, the Microsoft Cloud Platform moves very quickly, and it can be challenging to stay anywhere close to current.
Subscribe to 4sysops newsletter!
That said, tools like Azure AD Connect, Azure AD, and Microsoft Intune have matured a great deal over the past few years. In my experience, once you invest the time to conquer your initial learning curve, you'll be well equipped to adapt to future platform changes.
Thanks for sharing. Great article.
Thanks for this, fantastic read.
Hi! I’m try to understand the difference between ad registered and ad joined.. could you help me?
On ad registered device, when you say “Because IT doesn’t own these devices, we are heavily limited in how many security controls we can implement.”
Could you tell me an example of security controls that I can’t do with ad registered? Or a place that I can found these limitations?
About the Ad Joined, in my tests I saw that user can login using your local computer account and also he can log with azure ad account (I’m talking about initial login, when you turn on computer to choose which user will use de computer).
So my question, why it? why the user will choose log with azure ad account since he can log in with the local account and be able to use all the resources (outlook, teams, etc.)?
Thank you so much, I’m crazing about this question.
With BYOD Azure AD Registered, is it still possible for the user to use Company Portal for self-service application installation?
I am also very interested in the answer to this question. @Timothy