Azure AD Registration
Azure AD registered devices is to provide support for the Bring Your Own Device (BYOD) or mobile device scenarios. In these scenarios, a user can access your organization’s Azure Active Directory controlled resources using a personal device.
Azure AD registered devices are signed in to using a local account like a Microsoft account on a Windows 10 device, but additionally have an Azure AD account attached for access to organizational resources. Access to resources in the organization can be further limited based on that Azure AD account and Conditional Access policies applied to the device identity.
Azure AD joined
Azure AD devices is for corporate owned and managed devices. These devices authenticated using corporate azure AD account. Azure AD join mainly intended for organizations that want to be cloud-first or cloud-only. Any organization can deploy Azure AD joined devices no matter the size or industry. Azure AD join works even in a hybrid environment, enabling access to both cloud and on-premises apps and resources.
Administrators can secure and further control Azure AD joined devices using Mobile Device Management (MDM). Azure AD join can be accomplished using self-service options like the Out of Box Experience (OOBE), bulk enrollment, or Windows Autopilot.
Prerequisite for Windows 10 Intune Enrollment -Azure AD Join & Registration
- Azure active directory & Intune subscription, setup, and configuration needs to be completed
- Admin User needs to be created and appropriate License/access needs to be assigned for enrollment
- Configure MDM User scope for Auto enrollment
We need to Configure MDM User scope. Specify which users’ devices should be managed by Microsoft Intune. These Windows 10 devices can automatically enroll for management with Microsoft Intune. There are three options,
- None – MDM automatic enrollment disabled
- Some – Select the Groups that can automatically enroll their Windows 10 devices
- All – All users can automatically enroll their Windows 10 devices
(below is the reference screenshot, here we have selected some and User group has been added for Auto Enroll)
Join Windows 10 Device to Azure AD
Below are the manual steps to join the Windows 10 device with Azure AD
- Login to Windows 10 with an Administrator account
- Go to Start and click Start Menu -> Settings
- Select Accounts > Access work or school
- Click on Join this Device to Azure Active Directory link from Alternate Actions
- Enter Corporate Email ID and Password
- Click on Next to start the Azure AD registration process (Enabled Authenticator) – Enter the Authentication Code
- Click on JOIN button from the popup Windows Make sure this is your organization.
- Click on DONE button to Finish Windows 10 Azure AD Join process
Windows 10 Device has been joined Azure AD successfully.
We could see the Device in Azure Portal as Azure AD Joined
We could see the Device in Intune Portal as Corporate (Ownership)
Register Windows 10 Device to Azure AD
Below are the steps to register the Windows 10 BYOD (Personal) device with Azure AD
- Login to Windows 10 with an Administrator account
- Go to Start and click Start Menu -> Settings
- Select Accounts > Access work or school > Connect
- Enter Corporate Email ID and Password (Do not required to Select the alternate option)
- Enter Authentication Code by Using Mobile App
- Click on Done to complete the Azure AD registration process
Windows 10 Device has been Registered in Azure AD successfully.
We could see the Device in Azure Portal as Azure AD registered
Since this BYOD scenario, We could see the device has been automatically enrolled as Personal device in Intune Portal.
Thank You for reading this post!
Reference Link: https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join
I hope this post has given you an understanding of windows 10 Intune enrollment on AAD join and Registration scenario’s.
Infrastructure Management Blog 