Azure AD Join in Windows 10
In this episode of the Azure AD and Identity Show, your host, Simon May, talks to Venkatesh Gopalakrishnan of the Identity Division about how Azure AD Join can enable your mobile workforce.
More resources and next steps
- Learn: Enterprise mobility core skills
- Try: Enterprise Mobility Suite (EMS) free evaluation
- Connect: Join the Identity conversation on Twitter
- Gartner Magic Quadrant: Visionary in Identity as a Service
- Watch: Get the inside track from Microsoft experts
[00:01] Simon: Hello and welcome to the Azure Active Directory and Identity Show. I'm Simon May, your host.
[00:06] Today in the show we're going to be taking a look at Azure Active Directory Join for Windows 10 and I'm joined by Venkatesh from the Identity Team to talk us through what it is, why you have created it. So, what is Azure Active Directory Domain Join for Windows 10?
[00:23] Venkatesh: Hm-hmm. So, thanks, Simon. The Azure Active Directory Join in Windows 10 is a piece of new functionality we have in Windows 10 that allows you to join an Enterprise owned, a work-owned Windows 10 device to your Azure AD tenancy in the cloud.
[00:38] As opposed to your on-prem AD that you've been doing for, you know, many years to come, many years on traditional Windows devices. What it buys you is the ability to seamlessly manage these devices through the cloud using Intune or any other MDM, as well as single sign-on to all your cloud applications, like Office 365 being the obvious one.
[00:57] But any app that you can access through the Azure AD app access panel is fair game for single sign-on. Over time we'll be bringing more Enterprise services through the cloud to Azure AD-joined Windows devices. Such as Enterprise compliant OS State Roaming and we'll be launching the Enterprise store soon.
[01:15] Which allows you, your employees, to install applications that have been authorized by your organization through the standard Windows store app.
[01:22] Simon: So, it's one of those features that, I guess, really compounds our idea that Active Directory is the control plane. It gives you a place to be able to control identity, but also the devices, where that entity is being used. One of the main components being Windows 10.
[01:37] Venkatesh: Exactly. That's exactly correct.
[01:39] Simon: Cool. So, what was kind of the problem that we designed, or that you guys designed Azure AD Join to actually solve?
[01:49] Venkatesh: Alright. So, it's pretty rare these days to find a company of any size or shape that isn't moving to the cloud in some sort of way. Certainly small companies are doing it already, and many of them have gone 100% cloud. If you started a company today, chances are you'd be using SaaS apps all the way. Right?
[02:08] So, what Azure AD Join really does is it unlocks a whole bunch of Enterprise functionality in Windows that wouldn't have otherwise been available to you without building out some IT infrastructure on-prem with Windows Server AD or Systems Center to manage them. But now you have access to all those capabilities through the cloud.
[02:29] With Azure AD, with Intune or another MDM as well as Office 365. Now we're also seeing some pretty good interest in this from larger companies that might be going hybrid as well. Right?
[02:40] If they've got segments of employees that are mostly using SaaS apps for productivity, like Office 365 or employees that are remote or seasonal workers that perhaps don't necessarily always have easy line of sight to a domain controller.
[02:54] Or, in the case of seasonal workers, you know, there's a high cost to provision seasonal workers on your Active Directory on-prem. It might be just easier to provision them in the cloud only. Azure Active Directory Join is a pretty good option for you as well.
[03:10] Simon: So it seems to be perfect for, I guess the modern world, really. Where we've folks that are setting up a company that exists only in the cloud. Perfect for organizations that are really heavily in the cloud already. Seems to work perfectly in a world where people are very mobile, moving around. Moving to different locations.
[03:29] Venkatesh: Exactly. In modern enterprise, it's the modern worker in the modern enterprise.
[03:33] Simon: Yup. Incredibly cool. So can we take a look at it in action?
[03:36] Venkatesh: Absolutely. So in this demo I've got a brand new VM of a Windows 10 Professional desktop. The first thing a professional edition SKU is going to give you is a choice to decide whether this device you just purchased from Best Buy for your work purposes is owned by the organization, or for yourself.
[03:54] In this case, we will go down the path of saying that this is an organization-owned device. So your company bought it for you. It gives me two choices. I have the option to join a domain, like I've had in Windows for several versions now.
[04:09] But the new option to join Azure Active Directory now shows up during the first-run experience at Windows. So we'll take a look at that.
[04:23] So I hit a login screen that effectively all I need to do here is enter the same credentials I use for Office 365, Exchange Online or any other Azure Active Directory application, which for all practical purposes is my work account. Right?
[04:38] So we'll do that. About an hour ago I created a brand new Office 365 tenant. Just signed up for the thirty-day trial. Anyone of you could do this. Very easily.
[04:54] Simon: Just while you're talking about it, there's actually a lot of customization if you go in in the background here as well. So as you're entering your UPN there for your account, we could have actually redirected you over to a corporate sign-on page.
[05:06] Venkatesh: Absolutely.
[05:07] Simon: If we had all of that configured.
[05:08] Venkatesh: Correct. If you're a hybrid company, we would just take you to a corporate sign-in page with your ADFS or identity proxy and they all bounce you right back. For all practical purposes, I just did a very standard Azure AD web sign-in there. Just looked a little Windows-y.
[05:22] Simon: Yeah. We could also have extra authentication, though. We could have had Azure Multi-factor authentication kick in to require a call to your cell phone. Say, hey, I'm a human being.
[05:31] Venkatesh: Yes, and in fact, that will show up a little bit later when I try it when I configure some credentials during this demo.
[05:38] Simon: So, it gives that ability to have an extra level of security around the whole thing as well, I guess. Yeah.
[05:44] Venkatesh: Precisely. Speaking of security, one of the things Azure Active Directory Join does expose in Windows is this new feature we have called Microsoft Passport, which is probably a subject for a show all on its own. But this is an opportunity to start using it right away and in fact, as I'm going through this process, I can create a work PIN.
[06:02] If this device supported iris recognition, face recognition or any other type of fingerprint biometric of some sort, that would be an option as well.
[06:12] Simon: Yeah, because what's actually happening under hood here is, while you're configuring Microsoft Passport, we're setting a PIN. That PIN is tied to this particular piece of hardware. So it's only usable on this device to unlock the Microsoft Passport, to access the credentials stored within it, or rather the credential tokens stored within it.
[06:29] We can replace that unlock gesture, that PIN, with anything that Windows Hello supports. So, face recognition or iris recognition or fingerprint recognition. All able to unlock the, unlock Passport, and you've just received that phone call.
[06:43] Venkatesh: Yes.
[06:43] Simon: With the Multi-factor authentication and for setting up Microsoft Passport.
[06:49] Venkatesh: Correct, and in this case, I actually made it a coded a text message.
[06:56] Simon: Yeah, so the Multi-factor authentication supports the three factors of authentication that we can see with Azure Multi-factor authentication. You can receive a phone call. You can receive a text message with a unique one-time code.
[07:08] Or you can also have the authenticator app which will then allow you to work in a situation where maybe you don't have cell connectivity for some reason.
[07:16] Venkatesh: Correct, Simon, and one of the beauties of this whole thing is at no point do I need to type in my password, into the device, and my password will never go over the wire.
[07:24] Simon: Yeah. That's one of the coolest things about Passport.
[07:28] Venkatesh: Correct. Alright, so now I can set up my work PIN that I will use for every subsequent sign-in onto this device.
[07:44] Simon: Actually, a policy in AD that we can use to set how complex that PIN needs to be as well, I think.
[07:48] Venkatesh: Absolutely. So one of the things I didn't get into detail on is during the process of actually joining Azure AD, you can also configure an MDM to be automatically enrolled for the device and that gives you the opportunity to pull the personnel policies like the length of the PIN complexity.
[08:05] The length of the PIN you'd like, the complexity of that PIN, as well as a few other sundry policies around email, etc. Speaking of email, I've now hit my Windows 10 desktop for the very first time, on a brand new Azure AD Join device. Somewhere along the way you might have seen a dialog showed you about some policies being pushed down.
[08:25] But essentially what's going on here is I've now plumbed my device with my Azure AD credentials and so a whole bunch of apps now start taking advantage of that from here on out. So let's take email. The very first thing you ever do on any device when you set it up is check your email, or set it up.
[08:40] All I have to do on an Azure AD Joined Windows 10 device, when I have Office 365, is fire up my email client that's in the box. My Azure AD account is already configured in the email app. Ready to go, and my mail is already saved. Right? I never had to type my credentials in during that entire process.
[09:03] Simon: Pretty, pretty cool.
[09:04] Venkatesh: I can also fire up a web browser here, and just go straight to the office portal, which would normally present me with a, ha-ha, typo'd it.
[09:19] Simon: You know, actually, I wonder who owns Wi-Fi.
[09:28] Venkatesh: Normally you'd hit a sign-in page. But look, no hands.
[09:32] Simon: Yup. Just go straight over.
[09:33] Venkatesh: It signs me right in because I signed into this device with Azure AD credentials.
[09:38] Simon: Cool. So presumably what's happened in the background there is Azure AD has issued some sort of token to this particular device to say, you have access as long as the token is valid.
[09:47] Venkatesh: Correct. In fact, when I logged in I got what we call a primary refresh token. That primary refresh token, whether it's unlocked in my password or with that Microsoft Passport credential that I configured, then used it. It is then exchanged by Azure AD for an access token for the specific apps I go to from that point onwards.
[10:05] Simon: Awesome. Okay.
[10:06] Venkatesh: So I can just, you know, click on my mail here.
[10:08] Simon: You could just go straight out to the web app.
[10:11] Venkatesh: Exactly, and the same mail will be shown there.
[10:13] Simon: You can also traverse from there to your OneDrive, presumably.
[10:17] Venkatesh: Presumably. Pretty much anything that I can access that uses Azure AD for its credentials is now available to me without having to type credentials again.
[10:25] Simon: Cool. So we could actually do that and set up access to something configured through Azure AD Application Proxy. We could use access to any shared application from within Azure AD as well. So that could be any of the SaaS applications.
[10:38] There are thousands of SaaS applications that we currently support in there, and the custom SaaS applications, all with single sign-on or configured from within the out-of-box experience for Windows 10. Great. Pretty cool.
[10:49] Venkatesh: Nothing additional needs to be done. This works out of the box. An administrator can always go to the Azure AD portal and configure some more interesting things, like administrators that they want on the device. But if you just set up a Office 365 tenant or any Azure AD tenant today, this will just work.
[11:05] Simon: Yup, and it'll just work, and you can give it a go. Thank you very much for joining me.
[11:08] Venkatesh: Thank you.
[11:09] Simon: Thank you guys very much for watching the show. Come back for the next one.