Azure Active Directory and Windows 10: Bringing the cloud to enterprise desktops!

UPDATE:

When you enroll a Windows 10-based device using Mobile Device Management, remember that the device gets enrolled as a mobile device and does not appear as a “Computer” device type in Microsoft Intune as you might expect. Instead, the device appears under “Mobile Devices.” This is by design. To enroll a Windows 10 device and have it display as a computer in Microsoft Intune, the Microsoft Intune client software must be installed. For more details please see the following:

Windows 10 device is enrolled as “mobile” when you use Mobile Device Management

In this longer post I’m showing you how can you turn on auto-MDM enrollment with Azure Active Directory (AAD) and Microsoft Intune.

By combining login, Azure AD Join and Intune MDM enrollment in one easy step, Microsoft made it drop dead simple to bring devices into well-managed state that complies with corporate policies.
To get started, let’s talk about some of the major capabilities in Windows 10 that will be powered by Azure AD:

  • Self-provisioning of corporate owned devices. With Windows 10, employees can configure a brand new device in the out-of-box experience, without IT involvement.
  • Use existing organizational accounts. Employees can use their Azure AD account to login to Windows (the same account they use to sign into Office365).
  • Automatic MDM enrollment. Windows 10 PC’s and tablets can be automatically enrolled in an organizations device management solution as part of joining them to Azure AD. This will work with Microsoft Intune and with 3rd party MDMs.
  • Single Sign-On to company resources in the cloud. Users will get single sign-on from the Windows desktop to apps and resources in the cloud, such as Office 365 and thousands of business applications that rely on Azure AD for authentication.
  • Single Sign-on on-premises: Windows 10 PC’s and tablets that are joined to Azure AD will also provide SSO to on-premises resources when connect to the corporate network and from anywhere with the Azure AD Application Proxy.
  • Enterprise-ready Windows store. The Windows Store will support app acquisition and licensing with Azure AD accounts. Organizations will be able to volume-license apps and make them available to the users in their organization.
  • Support for modern form factors. Azure AD Join will work on devices that don’t have the traditional domain join capabilities.
  • OS State Roaming. Things like OS settings, Desktop wall paper, Tile configuration, websites and Wi-Fi passwords will be synchronized across corporate owned Azure AD joined devices.

Azure Active Directory Device Registration is the foundation for device-based conditional access scenarios. When a device is registered, Azure Active Directory Device Registration provisions the device with an identity which is used to authenticate the device when the user signs in. The authenticated device, and the attributes of the device, can then be used to enforce conditional access policies for applications that are hosted in the cloud and on-premises.

When combined with a Mobile Device Management solution such as Intune, the device attributes in Azure Active Directory will be updated with more information about the device. This allows you to create conditional access rules that enforce access from devices will meet your standards for security and compliance.

Azure Active Directory Device Registration is available in your Azure Active Directory. The service includes support for iOS, Android, and Windows devices. I’m testing below with Windows 10 standalone workstation.

Scenarios enabled by Azure Active Directory Device Registration

Get your subscriptions

  • Microsoft Intune: If you do not have an existing subscription to Microsoft Intune, you can sign up for a trial subscription.
  • Azure AD Premium is required to configure automatic MDM enrollment with Intune. If you do not have a subscription, you can sign up for a trial subscription.21

Enable Azure Active Directory Device Registration

Enable Azure AD Registration in the Azure Portal: Log on to the Azure Portal as Administrator –> ‘Active Directory‘ –> ‘Directory‘ –> ‘Configure‘ –> ‘Devices‘ –> ‘Users may workplace join devices’18

Configure Azure Active Directory Devices Registration discovery

If you don’t have a custom vanity domain associated with your Azure AD/Office 365 subscription, you can skip this section. My default domain is testlab.onmicrosoft.com, so I don’t need this extra configuration.

Otherwise, if the domain name of your choise whose DNS domain name that is currently not in used on the Internet, you’ll need to add the following two DNS records for the domain at your DNS host.

Entry Type Address
enterpriseregistration.contoso.com CNAME enterpriseregistration.windows.net
enterpriseregistration.region.contoso.com CNAME enterpriseregistration.windows.net

Configure automatic MDM enrollment

In the Azure management portal, navigate to ‘Active Directory’ node and select your directory and then ‘Applications’ tab you should see Microsoft Intune in the list of applications. Note that if you do not have an Azure AD Premium subscription or do not have a Microsoft Intune subscription you will not see Microsoft Intune in the list of applications.8

Click on the arrow and you should see a page that enables you to configure Microsoft Intune.9Click the ‘Configure’ button to start configuring automatic MDM enrollment with Microsoft Intune. On the Configure tab of this page, you can see a couple of URLs for Intune:

  • MDM Enrollment URL – This URL is used to enroll Windows 10 devices for management with Microsoft Intune. This is done automatically when users join their devices to Azure AD or when they add a work account to their Windows 10 machine, if automatic MDM enrollment is enabled for them.
  • MDM Terms of Use URL – Currently this URL is empty for Microsoft Intune. The ability to configure custom terms of use for users to see as part of the enrollment process will be made available in an Intune update shipping later this year. For now, leave this URL field empty.
  • MDM Compliance URL – When a device is found to be out of compliance, Azure AD’s conditional access control engine will block access to users for applications that require compliant devices. In this scenario an access denied message will be displayed to end users. Users will also see this compliance URL on the access denied page. The compliance URL helps end users understand why their device is not compliant with policy and how they can bring it back into compliance.
    10

You do not need to change any of these URLs. They are automatically configured for your Azure AD tenant.
On scrolling down further, you will notice a setting that lets you specify which users’ devices should be managed by Microsoft Intune. These users’ Windows 10 devices will be automatically enrolled for management with Microsoft Intune.

Joining a device to a domain in a hybrid AD environment

Navigate on Windows 10 to ‘Settings‘ –> ‘System‘ –> ‘About‘ –> ‘Join Azure AD1

7

After a few hours the mobile object will be appeared in the Microsoft Intune Administration portal:12

Some attributes in the Intune Admin portal are not correct.

In the Azure management portal you will see the registered device for the employee: 20

IMPORTANT: as I said at the beginning, after these steps you can just use the conditional access feature of Microsoft Intune and you have a basic hardware inventory. But you cannot manage your device!

For the fully device management you have to rollout the Intune Agent. Then a second object will be appear in the admin Intune admin console:17

Now the attributes of the managed device were correctly scanned. So you can deploy some Intune policies and they will be successfully applied:1619

Conclusion

Through the power and simplicity of a highly secure Azure AD account, users can immediately get access to corporate resources and the applications they need to be productive, while IT can be assured that those devices are secured for (via Azure AD) and (via Intune) from the first minute of business life. Customers can also optionally choose to upgrade from Pro to Enterprise by simply passing a key through Intune. This means easily adding additional management (as afforded by the Enterprise SKU) simply by passing this key – there isn’t even a need to reimage!

Leave a Reply

Your email address will not be published. Required fields are marked *