To enable secure access to apps and services, an organization may constrain access to only devices that are properly configured for work. When a device is setup for work, users can access securely and under compliance, apps, services and data using their work accounts (i.e. AD or Azure AD accounts).
Windows 10 offers three ways to setup a device for work: Domain Join, Azure AD Join and through Add Work or School Account for personal devices. In all cases, devices obtain an identity with Azure AD (a.k.a. register with Azure AD) and come under the control of the organization (i.e. devices are managed by the org.).
Using their work accounts on these devices, users will:
- Experience Single Sign-On (SSO) to Office 365 and SaaS apps from everywhere.
- Enjoy roaming of OS settings across joined devices.
- Be able to access the Windows Store for Business.
- Have the convenience of Microsoft Passport & Windows Hello to access work.
On the other hand, organizations will:
- Be able to restrict access to only devices meeting Conditional Access policy.
- Have piece of mind as settings and work data roam through enterprise compliant clouds. No Microsoft accounts are involved (e.g. Hotmail), and can be blocked.
- Reduce the risk of credential theft by implementing Microsoft Passport for Work.
This is the traditional way organizations have deployed Windows work devices for years. Devices are typically managed with Group Policy or System Center Configuration Manager (SCCM).
Windows 10 domain joined devices automatically register with Azure AD enabling new experiences to both users and admins. The process to join devices to the domain doesn’t need to change. Upon reboot the device attempts registration with Azure AD using its on-prem AD computer account identity. Expect a blog entry where I will describe in detail how this process works.
Azure AD Join
This is a new way for setting up work devices for work. Devices register directly with Azure AD. It provides a self-service experience for the user to setup the device from anywhere (in contrast with Domain Join which is typically done as part of an imaging process or by an admin). In a future update of Windows, Azure AD Join will offer a pre-provisioning experience for admins to prepare devices before handing them out to users.
As part of the device setup experience the device also automatically enrolls into Intune or the MDM system that has been configured in Azure AD.
Add Work or School Account
This is the way to enable personal devices to access work resources. It can be done via Settings (Accounts -> Your Account) or when the user configures an app for work. For example a user can choose to add the work account to Windows at the moment is setting up the Mail app to connect to Office 365. The user will enjoy SSO to work resources through apps and browser (Edge and IE).
In addition, adding the work account will enroll the device with Intune or the MDM system that has been configured in Azure AD.
Please note that Add Work or School Account is the replacement for the Workplace Join experience in Windows 8/8.1.
Please also note that both Domain Join and Azure AD Join allow users to sign-in/unlock devices using their work accounts. Personal devices are unlocked using Microsoft accounts (i.e. Hotmail, Live, Outlook, Xbox, etc.). Add Work or School Account doesn’t change this fact, but adds the work account on top of it (a.k.a. as a secondary account). The Microsoft account is still used for unlocking the device or for driving default Windows experiences like roaming of OS settings or Cortana.
That’s it for now. Please expect subsequent posts that describe in detail some of these concepts. See you soon!
Jairo (Twitter: @JairoC_AzureAD)