- Interact with Azure Cosmos DB with PowerShell - Tue, Sep 14 2021
- Azure health services: Track Microsoft cloud outages and maintenance - Wed, Sep 8 2021
- Powerline: Customize your PowerShell console - Tue, Aug 31 2021
Imagine your business uses Active Directory Domain Services (AD DS) locally for user, server, and endpoint management. Over the past year, your team has made inroads into Microsoft Azure by implementing Azure AD Connect to synchronize AD domain user and computer accounts into your organizational Azure AD tenant.
Moreover, you've given your local AD users single-sign on (SSO) to your Azure AD-backed cloud applications. This year, you have two new goals to achieve:
- Configure some Azure-based Windows Server 2019 virtual machines (VMs) for Azure AD sign-in
- Give employees the ability to access Azure cloud apps and cloud-stored data on their personally owned devices.
Let's tackle the user access problem first, and then we'll cover Azure AD sign-in to Azure VMs.
Azure AD Registration ^
Bring Your Own Device (BYOD) is a challenging scenario, for sure. You want to give employees the ability to access corporate apps and data securely on their own personal devices, be they Windows 10/macOS computers or iOS/Android smart phones. Because IT doesn't own these devices, we are heavily limited in how many security controls we can implement.
For BYOD, Azure AD gives us Azure AD registration. An Azure AD-registered device is "lightly managed" by Azure AD admins. Users here can sign in to their device by using either a local device ID (for instance, their Apple account on an iOS device) or their Azure AD identity.
While Azure AD Premium gives Azure AD registered or joined devices SSO to your cloud apps, you'll need a first- or third-party mobile device management (MDM) product to enforce policies such as data encryption, remote wipe, and so on.
Let me walk you through one way to register an endpoint device with Azure AD. In this example, we'll register an Apple iPhone with my TIMW.INFO Azure AD organization.
NOTE: As is typical with Microsoft technologies, there exist several methods to register and/or join a device to Azure AD. The specific steps depend on the endpoint type, how much automation is required, and whether you're onboarding the endpoint from the server or the client.
First, I'll install the Microsoft Authenticator mobile app, open Settings, tap Device Registration, and sign into my directory. In the following composite screenshot, you can see me register my fictional test user Pramod's iPhone.
Look at the right-most image in the previous screenshot. That's the MyApps Portal, the web portal where your users gain SSO to your cloud apps.
As shown in the next screenshot, you can verify the Azure AD-registered device on the Devices blade in the Azure AD portal.
Windows-based endpoints registered with Azure AD can store their BitLocker recovery keys in Azure AD. However, deep corporate endpoint management requires both Azure AD join and Microsoft Intune.
Azure AD Join ^
Azure AD join is your option for the corporate owned, personally enabled (COPE) endpoint device scenario. Because the endpoint is corporate owned, you can enforce policy that wouldn't work with personally owned devices.
Whereas Azure AD registration and Intune management work with macOS, iOS, and Android, Azure AD join requires a Windows-based client or server system.
Listen up, this is important: on Azure AD joined devices, the user must sign in to the device with their Azure AD account only. In the next example, let's join my Windows 10 workstation to my Azure AD tenant.
First, I'll open Settings > Access work or school, and click Connect. Look at the next screenshot. If you enter your email address under Set up a work or school account, you will simply register your Windows 10 device (or, alternatively, enroll in your company's Intune subscription). We don't want that now.
To join Azure AD, click Join this device to Azure Active Directory at the bottom of the dialog box. Sign in with your Azure AD credential, and once you're finished, go ahead and sign in to the workstation with your Azure AD credential.
It seems to me that you'll probably want to embrace Microsoft Intune if you have Azure AD joined devices so you can centralize your security and access policies. The following screenshots show my Windows 10 device from the perspective of (a) Azure AD and (b) Microsoft Intune.
Another product you should know about if you're using Azure AD join with Intune is the Microsoft Intune Company Portal. This is a self-service app portal available for both Windows 10 and mobile devices that serves as an authorized application installation, access, and management tool.
With regard to Azure AD sign-in for Windows Server 2019 VMs in Azure, Azure AD join is a prerequisite. You can automate the join process by running the following PowerShell against your Azure VMs:
$vmName = "azurevm001" $vmRgName = "4sysops-rg" $extensionName = "AADLoginForWindows" $publisher = "Microsoft.Azure.ActiveDirectory" $vm = Get-AzVm -ResourceGroupName $vmRgName -Name $vmName Set-AzVMExtension -ResourceGroupName $vmRgName ` -VMName $vm.Name ` -Name $extensionName ` -Location $vm.Location ` -Publisher $publisher ` -Type "AADLoginForWindows" ` -TypeHandlerVersion "0.4"
Hybrid Azure AD join ^
Hybrid Azure AD join is aimed at businesses that want to manage company-owned devices locally with System Center Configuration Manager or Group Policy, but that need SSO to cloud apps and perhaps some help with Intune.
Because this is Azure AD join, we're talking here only about Windows-based endpoints. Hybrid Azure AD join requires that you deploy Azure AD Connect to replicate local Active Directory user and computer accounts to Azure AD.
The following screenshot shows some of how you can configure automatic Azure AD join in Azure AD Connect.
I hope that I successfully got you started in your Azure MDM journey. As you know, the Microsoft Cloud Platform moves very quickly, and it can be challenging to stay anywhere close to current.
Subscribe to 4sysops newsletter!
That said, tools like Azure AD Connect, Azure AD, and Microsoft Intune have matured a great deal over the past few years. In my experience, once you invest the time to conquer your initial learning curve, you'll be well equipped to adapt to future platform changes.