Forum Discussion

Joe Stocker's avatar
Joe Stocker
Bronze Contributor
Jul 17, 2017
Solved

Azure AD Conditional Access - Require Domain Joined Device

Does the ‘Domain Join’ checkbox in Azure AD Conditional Access require Azure AD Domain join, or does it mean on-premises Domain Join? The attached screen shot says ‘Not Azure AD Domain Join’ but the ...
Access Management
Azure Active Directory (AAD)
Identity Management
  • Loryan Strant's avatar
    Loryan Strant
    Jul 17, 2017
    Correct, that would be on-prem AD domain-join.
    Why it's confusing is because it's possible to have on-prem AD domain-joined PCs automatically register and enroll with Azure AD.
Daniel Kharman's avatar
Daniel Kharman
Brass Contributor
Apr 27, 2018

Hi Joe,

 

I had a similar question, and received similar answers.

 

What you're probably looking for however is this:

That condition specifically means local domain-joined, however if the device (I'll assume Windows 10) isn't at a minimum Azure AD Registered, then Azure Conditional Access can't interpret the  device as being locally domain-joined. 

 

So in order to use that function, you need to make sure that your devices are registered in Azure AD - despite the fact that the documentation says the requirement is Hybrid Azure AD Joined, I've found that simply registering is enough. Though to be fair, you really should implement Hybrid Azure AD Join, because asking your users to go forth and register their devices in Azure AD themselves will likely lead to a whole heap of calls to the Service Desk :)

 

Hope it helps,

Dan

Resources