If you haven’t already seen it, Alex Simons just published a great post on Azure AD Join and the benefits it provides. In this post, I’m going to look at how to join Microsoft Intune and the Enterprise Mobility Suite (EMS) to Azure AD to light up some amazing scenarios.
I can’t even count the number of times I’ve talked to customers about a future scenario where they can finally tell their mobile end users: “Here’s a stipend, now go to an electronics store and buy a device for work.” Another variation of that discussion is simply sending a factory-imaged device from your OEM directly to the end user, and then through the power of an AAD account, the device can be business-ready in minutes.
Neither of these dreams have ever come about – primarily because todays devices have needed to come on premises to get imaged and domain joined. Because of the necessity of this on-prem step, IT has often had to buy and provision devices for the end user so that they can be properly managed and secured. This adds up to some real costs and real delays in getting the device to the end-user.
At long last, that future scenario is – finally! – nearly here. By joining a Windows 10 device to Azure AD it is extremely easy for end users to get the benefits of single sign-on, OS state roaming, and more (see the aforementioned blog post from Alex for more details).
Another new (and incredibly powerful) part of joining Azure AD is the ability to automatically enroll the device in Microsoft Intune. From my customer visits I’ve learned that device enrollment is the single largest challenge organizations have in bringing mobile devices under management. Microsoft has worked exhaustively to dramatically simplify this process, and there is some great work that we have done in this area around Azure AD join.
Imagine how this can work for you: Through the power and simplicity of a highly secure Azure AD account, users can immediately get access to corporate resources and the applications they need to be productive, while IT can be assured that those devices are secured for access (through Azure AD) and policy (through Intune) from the first minute of business life. Customers can also optionally choose to upgrade from Pro to Enterprise by simply passing a key through Intune. This means easily adding additional management (as afforded by the Enterprise SKU) simply by passing this key – there isn’t even a need to reimage!
Additionally, key access controls (like conditional access to e-mail, and OneDrive through Intune enrollment, and compliance assessment) are all assured from the start of a device’s life! All the user has to do is enter their Azure AD account. It’s just that simple.
Here are two key scenarios that are going to simply the lives of many IT Pros:
- New device out-of-the-box:
Open the box and log in with your Azure AD account. This triggers enrollment into Microsoft Intune. Check out this blog for step-by-step screenshots of the experience.
- BYOD device:
When the user needs to access a corporate documents or resources, they can add a workplace account. Doing this triggers enrollment into Microsoft Intune. This blog post has step-by-step screenshots and instructions.
Getting all of this set up is easy:
In the Azure AD administrative experience you just need to define:
- MDM Enrollment URL for Intune so that devices know how to reach the MDM service.
- MDM compliance URL which is the Intune Portal where end users go to remediate if their device is blocked due to Conditional Access policies.
I know what you’re thinking: “When should I consider joining Windows 10 devices to Azure AD?”
The answer is pretty simple: It comes down to choosing between Azure AD join + Microsoft Intune versus AD join + Group Policy + System Center Configuration Manager.
In Windows 10, the inbox management agent has been greatly enhanced to cover a myriad of new policy settings, but it will be a subset of what on-premises AD Group Policy provides today.
I really like the approach Windows 10 took to smartly implement key policy settings via the inbox agent – and we also think that, for most customers, it won’t be an all-or-nothing decision. Instead, I expect it to be a choice based on the elements like the department, the specific job function, and other criteria.
Here are a couple of key questions to see if a device is right for Azure AD join or not:
- Do you have devices that only run cloud apps or apps being exposed through the AAD App Proxy? If so Azure AD join is optimized for these types of apps.
- Is the Windows 10 MDM/Inbox agent functionality sufficient for managing the device and its apps? For example, the apps on a device do not require AD group policy for configuration settings. As you become more familiar with the capabilities built into the MDM channel in Windows 10, you’ll be able to make the call if those capabilities are sufficient.
If you answer “yes” to these questions – for either a subset or all of your devices – then you’re likely ready to deploy and gain the benefits of joining Windows 10 devices to Azure AD and Microsoft Intune.
You’ll definitely want to become increasingly familiar with the new management and enterprise capabilities of Windows 10 (which are all exposed via the MDM/Inbox agent). Some of the new capabilities like Enterprise Data Protection, Certificate management, Lockdown policies, and Device Guard are exposed are particularly noteworthy. For organizations that are moving entirely (or mostly) to the cloud, AAD + Intune is a fantastic solution.
Many of you will want to apply these new capabilities along with the SCCM capabilities you’re already using. We have built the MDM/Inbox agent to co-exist and interoperate with the SCCM agent on the same device for this purpose. I suspect this is how many Enterprise organizations will operate.
More to come in the next couple weeks