Today, organizations have evolved beyond using the simple on-premises infrastructure of traditional days. The traditional Active Directory domain that exists on-premises providing identity and access management services to all endpoints is no longer practical. Modern businesses are leveraging solutions in the cloud more than ever. This includes Software-as-a-Service environments like Microsoft Office 365 and Microsoft 365. Cloud makes a lot of sense for today’s very hybrid workforce layouts and hybrid infrastructure resources that may exist on-premises, in the cloud, and at the edge. Azure Active Directory (Azure AD) provides the means for organizations to join and control endpoints no matter where these are located. This post will look at the process to join Windows 10 Azure AD and why you may want to do this.
Access to Azure AD
Many may not realize that when your organization utilizes Microsoft’s cloud SaaS platform, Office 365 or Microsoft 365, Azure AD is actually being used in the background to provide identity and access management for the cloud SaaS environment. In fact, if you use your organization administrator account that was created when first configuring your Office 365 environment, you can navigate to portal.azure.com and log in with this account. After logging in, you can navigate to the Azure Active Directory blade in the Azure environment.
Depending on the subscription or service your organization uses, you will have access to different features and services in Azure AD. What are some of the capabilities you gain access to with Azure Active Directory and managing your endpoints?
Microsoft Endpoint Manager
Microsoft at Ignite 2019 announced Microsoft Endpoint Manager which effectively combines both Microsoft Intune and Configuration Manager into a single product for Microsoft 365 customers. It also encompasses the following tools and services:
- Desktop Analytics
- Device Management
- Admin Console
Any Configuration Manager customer can now use Intune to co-manage without any new licensing costs. Capabilities for customers include:
- automate compatibility testing
- deploy updates faster
- take immediate action
What is Microsoft Intune?
Intune is a cloud-based MDM (mobile device management) solution that allows your business to control both apps and devices. You can control features not just on Windows 10 devices, but across all platforms, including Android, Android Enterprise, IOS/iPadOS, and macOS.
For hybrid environments (which are arguably the majority), there is an Intune connector for Active Directory that allows entries to be added for devices that are onboarded using Microsoft Autopilot.
What is Microsoft Configuration Manager
Configuration Manager is an on-premises solution that allows managing desktops, laptops, and servers on your network or that are located and accessible on the Internet. Configuration Manager is also cloud-aware as it can integrate with Azure Active Directory Defender ATP, and other Microsoft cloud services. What can you do with Configuration Manager?
- Deploy apps
- Update software
- Update operating systems
- Monitor compliance, and act on remediation tasks in real-time
What is Microsoft Co-Management?
Co-management is one of the ways to attach your on-premises Configuration Manager deployments to Microsoft 365. This allows adding other features to your deployment, such as Conditional Access. This allows parallel management of your Windows 10 devices using both Configuration Manager and Microsoft Intune. Windows 10 devices that have the configuration manager agent installed and are enrolled into Microsoft Intune benefit from both services.
Join Windows 10 Azure AD step-by-step
In the join Windows 10 Azure AD step-by-step walkthrough below, we will look at the process to manually join a Windows 10 workstation to Azure AD. This process is similar to joining a workstation to an on-premises domain. Below are screenshots taken from a Windows 10 20H2 workstation after installation.
First, you want to select Set up for an organization.
Use your organization account from Office 365 or Microsoft 365.
Enter the password for your cloud account.
Policies are in place that require additional authentication factors are configured for end-user access.
Microsoft directs you to download Microsoft Authenticator. However, you can also use other authenticator apps and these work just fine.
Below, after downloading the Microsoft Authenticator app, select to add a Work or school account.
Scan the barcode presented on-screen which automatically adds the account into Microsoft Authenticator.
Microsoft sends a test push message to your mobile device authenticator app.
Notification approval is reflected on the setup screen in Windows 10.
The setup and configuration of the sign-in method completes with the Microsoft Authenticator setup.
You are next prompted to setup Windows Hello.
Add a PIN for Windows Hello authentication.
After configuring the PIN, the process to join Windows 10 Azure AD is completed.
After stepping through the configuration of the organization account with my Microsoft 365 users, navigating to Azure Active Directory shows the workstations joined to Azure AD as well as managed by Microsoft Intune MDM.
Join Windows 10 to Azure AD after setup
What if you have already configured and setup your Windows 10 machine? How do you join Azure AD after setup? This is a simple process of navigating to Windows 10 settings > Accounts > Access work or school > Connect. You can also see which organization you are already connected to if joined during setup.
The process to join Windows 10 Azure AD is fairly straightforward and involves using your Office 365 or Microsoft 365 account as the organization account used to configure Windows 10. It will involve setting up authentication factors during the enrollment if you have not already done this with your organization account. You can also join Windows 10 Azure AD after setup by visiting the account settings in Windows 10.