Last November Microsoft announced the availability of the first major update for Windows 10. Today we’re focusing on some of the new the benefits recently added to Azure AD and Windows 10 for domain joined devices.
90%+ of the enterprises have deployed Active Directory. Today there are tens of millions of domain joined devices in the world. I am thrilled with the prospect of these organizations enjoying great value instantly simply by connecting to Azure AD.
As Windows 10 domain joined devices register with Azure AD, both users and IT admins will benefit from new experiences, from enjoying SSO from everywhere, to the ability to have these devices participate in Conditional Access. Windows 10 promises to be the best device to use for work.
This post is written by Jairo Cadena a Senior Program Manager on my team who owns scenarios related to Windows 10 in the enterprise.
As always, we’d love to hear from you, so please let us know what you think!
Alex Simons (Twitter: @Alex_A_Simons)
Director of Program Management
Microsoft Identity Division
I’m Jairo Cadena, one of the PMs working on building Azure AD in Windows 10. I am excited to share with you the new benefits of Domain Join in Windows 10 that you’ll get with the latest update of Windows.
In previous posts we have talked about Azure AD Join for work-owned devices and adding an Azure AD account to personal devices (BYOD). In this post I will talk about how the traditional way of providing work-owned devices, Domain Join, has been made better in Windows 10 with Azure AD.
Domain Join and Azure Active Directory
Windows Server Active Directory (AD) is the most widely used corporate directory deployed by over 90% of enterprises in the world. In the last 15+ years, Domain Join has connected millions of computers to Active Directory for secure access to applications and centralized device management via Group Policy. The Integrated Windows Authentication stack (Kerberos/NTLM) gives users single-sign-on (SSO) to on-premises applications and resources like file servers and printers.
Azure AD lights up new experiences in Windows 10 AD domain joined devices:
- SSO from anywhere including SSO to Azure AD apps from the extranet.
- Enterprise compliant roaming of user settings across joined devices.
- Access to Windows Store for Business using work account.
- Microsoft Passport and Windows Hello for secure and convenient access to work resources.
- Participation in device conditional access control policy.
Registering domain joined computers as devices
Domain joined devices will automatically register to Azure AD and avail of the above mentioned experiences. You can enable this functionality in your organization quite easily through a particular Group Policy. Note that you need to have the latest version of Azure AD Connect.
To understand how this works, see the following diagram:
The registration process is as follows:
- Policy signals domain joined device to start auto-registration with Azure AD.
- Device queries Active Directory to get information about the Azure AD tenant. This data is written by AAD Connect during installation/upgrade.
- Device authenticates itself to Azure AD via AD FS to get a token for registration.
- Device generates keys used in device registration. Besides the key for the device certificate Windows 10 devices registering with Azure AD will have a key used to protect SSO tokens by binding them to the physical device.
- Device registers with Azure AD via Azure Device Registration Service.
After the device is registered with Azure AD, every Windows logon (or unlock) will make the device obtain both an SSO token (Kerberos TGT) from AD (1) and an SSO token from Azure AD (2) as illustrated in the following diagram:
At this point, since the device has both SSO artifacts (a Kerberos TGT for AD and a Primary Refresh Token for Azure AD), users will have access to work resources without any prompts.
Azure AD Connect and Windows 10
AAD Connect is a fundamental piece to enabling this functionality. It does three things in particular:
- Creates an object in Active Directory (a Service Connection Point) that enables domain joined devices to know the Azure AD tenant to which it belongs.
- Sync’s computers in AD to Azure AD as device objects. This enables computers to securely authenticate upon automatic registration with Azure AD.
- If you have AD FS deployed, it creates a couple of claim rules that will help domain joined devices to instantly register with Azure AD without waiting for next sync’ cycle.
For more details about how to enable domain joined devices for auto-registration with Azure AD please see How Domain Join is different in Windows 10 with Azure AD.
Questions and Feedback
The ability to have domain joined devices auto-registered with Azure AD is available now through the Windows 10 November Update.
Keep watching this space to learn more about all the cool features we’re building in Windows 10 and Azure AD as we continue with this blog series.
Thanks for your time and interest,