Azure AD on Windows 10 Personal Devices

First published on CloudBlogs on May, 21 2015
Howdy folks, In our first blog on Windows 10, we talked about our new Azure AD Join capabilities for company owned devices. In the comments and on Twitter, we received a lot questions about how to use Windows 10 with both a personal and a work account at the same time. So today, that's what we're going to cover. First, Windows has traditionally had great support for using multiple isolated user profiles ("NT users") on a PC. You could log off and login as a different user or use fast user switching to quickly move between profiles. This will work in Windows 10 just as it did in Windows 8. But Windows 10 takes this one step further and allows you to connect your device to both your personal and your enterprise clouds, within the same login session . With Windows 10, you can add your personal account to a corporate owned device (joined to a traditional Windows domain or joined to Azure AD), or add your work account to a personal device (to which you signed in with your personal Microsoft account). To give you an idea of how this all works, I would like to introduce Venkatesh Gopalakrishnan, a Principal PM Manager on my team. Venkatesh will walk you through both of these scenarios in detail. You should also check out the Brad Andersen's blog post on how this multiple identity approach surfaces in the world of mobile apps and our Enterprise Mobility Suite. Keep the feedback and suggestions coming! Best Regards, Alex Simons ( @Alex_A_Simons ) Director of Program Management Microsoft Identity and Security Services Division ------- Hi everyone, I'm Venkatesh Gopalakrishnan, one of the PMs working on building Azure AD support in Windows 10. In our previous post, Ariel Gordon ( @askariel ) described how with just a few click's a user can join their Windows 10 device to Azure AD. In this post, I will focus on how you can add an Azure AD account to a personally-owned Windows 10 device and seamlessly access work apps and resources. I will also cover the opposite scenario—the ability to add a personal Microsoft account to a device that has been joined to Azure AD in order to access personal apps and data.

Adding an Azure AD account to a personally-owned device

Many of us do at least some work on our personal devices – usually email or document editing. And switching between user profiles ("NT users") to keep work and personal contexts completely separate isn't very convenient if all you want to do is catch up on email while watching videos on Youtube. I'm happy to let you know that setting up and using your personally owned device to access work apps and resources is about to get a whole lot easier! With Windows 10, you can add an Azure AD account to a personal device from within an application as well as from the system Settings. Once an Azure AD account has been added, you will enjoy many of the same benefits on your personal device as you would on a corp-owned Azure AD joined device. These include:

• Single Sign-on to corporate apps, sites and resources protected by Azure AD (like Office365 )
• MDM enrollment will occur automatically (if configured by the admin) on some Windows editions. You won't need to hunt for the right MDM client in the Windows store to enroll your device and access cloud resources protected by Conditional Access.
• Access to your company's private catalog on the enterprise-ready Windows store .

The major difference of course is that you use a personal Microsoft account to sign in. Modern Windows services such as OS State Roaming and Live Tiles will continue to be driven by your personal account. Now let's take a look at the experience of adding an Azure AD account to your personal device from within an application. Imagine you created a work document on your personal Windows 10 device.

Now you need to save it somewhere – but your personal OneDrive probably isn't the most appropriate place. The first thing you need to do is kick-off the 'Add account' workflow from within the application. While application experiences will differ, most (like Word in this case) will have a Sign-in button or an 'Add account' button in the application settings. Click on 'Work or school account' to add an Azure AD account to the device.

After successfully authenticating with your work credentials, the MDM terms prescribed by your company may appear and you will have the opportunity to accept them for your device.

It's that simple! The device is now registered in Azure AD and enrolled in MDM. The account is ready to use for access to corporate resources like your company's OneDrive for Business and you won't have to go through the experience of adding the account or enrolling in MDM again because other authorized applications will also be able to use the account.

Adding a personal Microsoft account to a corporate owned device

Many of us also use our work PC's and devices for some personal activities as well. Just like on a domain joined Windows 8.1 PC, you can add your personal Microsoft account to a corp-owned device that is joined to Azure AD. And it will be is just as simple as adding an Azure AD account to a personal device: it can be triggered from within an application or from the system Settings. This provides the benefit of Single-sign on to personal applications and access to the consumer Windows store, but it won't cause OS and app state to roam via that personal account on Azure AD joined devices. Let's walk through a common use case – configuring your personal email account on your corp-owned laptop. First, the 'Add account' workflow is kicked-off from application's settings panel.

Select the account type (in this case a personal Microsoft account) and Sign in.

That's it! Your personal inbox will now start syncing to your corp-owned device. You can also install other consumer applications from the Windows store and use them with this account without being prompted to re-enter your credentials.

Questions and Feedback

The ability to add multiple accounts to Windows 10 will soon be available through the Windows 10 Technical Preview and the Windows 10 Enterprise Technical Preview . Please give these features a try and send us your questions and feedback. Keep watching this space to learn more about all the cool features we're building in Windows 10 and Azure AD as we continue this blog series.

Thanks for your time and interest,

Venkatesh Gopalakrishnan ( @vxg )

Principal PM Manager

Microsoft Identity and Security Services Division