Azure AD Device Join
Azure AD Device Join

There’s plenty to get confused about when your computer simply registers vs joins an organization.  One employee must access, why would your personally bought computer “join” an organization?  This would mean the organization manages your own computer.  Many small and micro business are allowed to “register” but certainly not Join.   They may not even let you “register” your computer or iPhone for security reasons.  Enrolled is one extra step.

Connect – Join – Register 

All these phrases are essentially the same but it is possible they are not “enrolled”.   The user account only need to enroll once.  Logins going forward is simply identifying users.

Stop!

You can connect, join, or register unless you have a user account created in Microsoft 365 Admin Center.Azure AD Device Registration vs Joined vs Enrolled

Create Users in Admin Center

What can both Business Basic and Business Premium Licenses both see from an IT administrator perspective?

Most novice users of Microsoft 365 use their https://admin.microsoft.com for adding and removing users.  However, they may want to take their user management one step further and jump into https://aad.portal.azure.com/ to see what devices are registered or joined.

AzureAAD all Devices

I don’t have access to these portals.  How do know if my computer is joined to an organization?

  • open elevated cmd on machine and run below command to check the status
    “dsregcmd /status”

Where do I join my company’s computer to their organization?

It depends if you have new or existing computer.   Follow one of two options below

Option 1) New Computer steps with an IT Support

Follow the below steps to let an IT individual access the computer:

Option 2) Existing Computer Already logged into a Windows profile but there’s no IT

ProTip!  Record your local login credentials before performing this setup.

When you start the process of Azure AD joins with Windows 10, there are two ways to achieve this. First, you can go to Settings –> Accounts –> Work Access and click on Join or Leave Azure AD link. Another way is to go to Settings –> System –> About and join Windows 10 machine to Azure AD.

  • It will reveal the current user’s profile logged in. Not the Global Admin account that joined you
  • It will also list email account “resources” that are also connected to the current Windows profile

Access Work or School

Azure AD Device Registration vs Joined vs Enrolled is it just the beginning for actively managing, maintaining, and securing devices and users from threats.

Ok, I am ready for some next level administration

https://endpoint.microsoft.com/

This is where all the policies are managed.  It is also a good place to start communicating with Microsoft Support if you are stuck on something.

https://aad.portal.azure.com/

How do I know if users can enroll devices?

To manage devices in Intune, devices must first be enrolled in the Intune service. This requires the Intune Management (Mobile Device Management – MDM) application to be integrated into Azure AD.   Both personally owned and corporate-owned devices can be enrolled for Intune management.

There are two ways to get devices enrolled in Intune:

  • Users can self-enroll their Windows PCs
  • Admins can configure policies to force automatic enrollment without any user involvement

Want the MS explanation?  Click below…

Intune enrollment methods for Windows devices – Microsoft Intune | Microsoft Docs

Conditional Access?!?!  Say What?

This requires the Intune Management (Mobile Device Management – MDM) application to be integrated into Azure AD.   I will update the Conditional Access post at some point for making Conditional Access easier to understand.  You can start setting up some Conditional Access policies like MFA illustrated below.

Conditional Access MFA

Azure Active Directory Device Settings

Lots of fun filled features in this section to make use of.  I highlighted some limitations in feature for Business Basic licensed users.

Features for Business Basic and Premium Users

  • Users may join devices to Azure AD
    • Do you really want that?
  • User may register devices to Azure AD
    • I assume this is ok for most businesses but maybe MFA should be a part of the process
  • Require MFA Authentication to register or join devices with Azure AD
    • This requirement resonates with me and it should with you.

Features for Microsoft 365 Business Premium only

  • Additional local administrators on all Azure AD joined devices

Azure Active Directory Device Settings

Azure AD Device Registration vs Joined vs Enrolled Summary

Azure AD: