Forum Discussion
Joe Stocker
Jul 18, 2017Bronze Contributor
Azure AD Conditional Access - Require Domain Joined Device
Does the ‘Domain Join’ checkbox in Azure AD Conditional Access require Azure AD Domain join, or does it mean on-premises Domain Join? The attached screen shot says ‘Not Azure AD Domain Join’ but the documentation shown in the screen shot seems to contradict this.
- Correct, that would be on-prem AD domain-join.
Why it's confusing is because it's possible to have on-prem AD domain-joined PCs automatically register and enroll with Azure AD.
- Birendra NegiCopper Contributor
with Pass-through Authentication what is work fllow for join machine in domain
- Daniel KharmanBrass Contributor
Hi Joe,
I had a similar question, and received similar answers.
What you're probably looking for however is this:
That condition specifically means local domain-joined, however if the device (I'll assume Windows 10) isn't at a minimum Azure AD Registered, then Azure Conditional Access can't interpret the device as being locally domain-joined.
So in order to use that function, you need to make sure that your devices are registered in Azure AD - despite the fact that the documentation says the requirement is Hybrid Azure AD Joined, I've found that simply registering is enough. Though to be fair, you really should implement Hybrid Azure AD Join, because asking your users to go forth and register their devices in Azure AD themselves will likely lead to a whole heap of calls to the Service Desk :)
Hope it helps,
Dan
- John MatrixBrass ContributorHey Dan,
interesting. So simple Azure AD registration is enough to enforce a conditional access policy?
But there is no similar simple way for Windows 7, right?
Thanks.
-John- Daniel KharmanBrass Contributor
Not really, though from memory you can enroll Windows 7 devices into Intune, which would implicitly register them. Though if you're going to go through that, you may as well set up Hybrid AAD Join.
- Christopher DelaTorreCopper Contributor
I think they have finally updated the Grant control in the conditional access policy to make it clearer. The desired conditional access policy will only work if the device is Hybrid Azure AD joined. Meaning that the domain joined device is also Azure AD joined (not registered but joined).
I think this article would help in configuring Hybrid Azure AD joined devices.
How to configure Hybrid Azure AD Joined devices
- John MatrixBrass Contributor
Has anyone tried the Hybrid domain join implementation? Any negative experiences? Advantages?
- Christopher DelaTorreCopper Contributor
Ever since we enabled hybrid for our company issued computers, its been working really well for us. This is very much useful specially when you exempt Hybrid Azure AD joined devices from your Conditional Access Policy in Intune MDM/Azure AD.
- Joe StockerBronze Contributor
I agree, it is more clear now.
- Correct, that would be on-prem AD domain-join.
Why it's confusing is because it's possible to have on-prem AD domain-joined PCs automatically register and enroll with Azure AD.- Joe StockerBronze Contributor
Loryan Strant I just finished creating a lab to test this all out and while I was able to get Windows 7 to work with the conditional access setting "require domain joined device", I could not get it to work with Windows 10 which ironically should have been easier. Can you review my blog and let me know what I am missing? http://www.thecloudtechnologist.com/azure-ad-premium-conditional-access-for-domain-joined-machines/
- Joe StockerBronze ContributorSo if a machine is not joined to on-prem AD and it is only joined to Azure AD, you're saying conditional access won't work? Why doesn't the documentation list the requirement of being on-prem AD joined?
- Bill HughesCopper Contributor
An Azure AD joined machines will work with conditional access. You will just need to use the value of "Require device to be marked as compliant" This requires the device to be managed through Intune however and does not allow you to use only Azure AD joined machines that are not managed.