As for now most of Small to medium business and large enterprise migrate their on-premise infrastructure to the cloud, the way we doing to manage domain-joined device has been changed too. Especially for those company who shift to Azure Active Directory and using Windows 10 device along with Microsoft 365 E3 & E5 subscription, and using Microsoft Endpoint Manger (f.k.a Microsoft Intune) to manage corporate device on the cloud. In this tutorial I’ll show you how to join a device to Azure AD.
Join a device to Azure AD is intend for organizations that want to be cloud-first or cloud-only. And organization can deploy Azure AD joined device regardless of the size or industry. Also, Azure AD join works in a hybrid environment, enabling access to both cloud and on-premises apps and resources. Note, there is preconditions you must have to deploy Azure AD Connect to synchronize your on-premise identity information to the cloud. Otherwise, the Azure AD joined device have no perception about any of your local on-premise resources.
The following table shows the features of Azure AD join:
Okay, let’s start to join a Windows 10 device to Azure AD. (prerequisite: A Windows 10 device except Windows 10 Home edition, an Azure AD account with rights to join a device to AAD, and make sure the option “User may join devices to Azure AD” has been set to “All” or “Selected”)
1.Go to Settings > Accounts
2.Under the Accounts section, click Access work or school > Connect
3.Choose “Join this device to Azure Active Directory” (the below second option is the way to join a device to local on-premise domain environment)
4.Enter your Azure AD account and click “Next”
5.After you entered your Azure AD account, it will re-direct to your corporate sign-in page for authentication, you enter with your password and hit the “Sign in” button. (as you can see down below there shows my corporate name under the “Need help?”, this may vary depends on whether your organization have been customized corporate brand)
6.After you’ve hint “Sign in” button it will take few minutes depends on your current network condition.
7.If your organization has been set with MFA (Multi-Factor Authentication) then you will need to authorize on your mobile device with Microsoft Authenticator. (Again, this is vary as most of organization usually not set this for join a device to Azure AD, but it is better for security.)
8.After you’ve approval the request on the Microsoft Authenticator, then review the information and click “Join” button. (until you click the “Join” button otherwise you can still pause your action by click the “Cancel” button)
9.This really may take a while after you clicked the “Join” button, usually it may take half minute or 2-3minutes.
10.Once you’ve seen this page then you are successfully joined to your Azure AD. You may click “Done” to close this page.
11.After that, you can go back go “Access work or school” section to review the device join status and also with the connected Azure AD account.
Note, usually not every Azure AD account have the rights to join a device to your AAD. But depending on your organization administrator deployment, a user may sign with him or her credentials to a corporate device to register that device to your Azure AD.
Azure AD Join is good for the following scenarios:
- Organization that do not have an on-premise Active Directory infrastructure.
- Your organization may have a lots of mobile devices such as mobile phone or tablets that need to be managed.
- You want to manage some group of users who may be seasonal worker like contractors or interns.
- Your users primarily are access with Microsoft 365 or other SaaS apps that integrated with Azure AD
Finally, remember Azure AD join can be accomplished by using self-service options: Out of Box Experience (OOBE) / bulk enrollment / Windows Autopilot. And Azure AD joined devices can still maintain single-sign-on (SSO) for access to on-premise resources (e.g. shared folder, printer) when they are on the organization’s network. Like I mentioned before you must be deployed with Azure AD connect then you can achieve this.
