Forum Discussion
Solved
AAD join Server 2025
Hi,
Wondering if Server 2025 can be AAD joined. this would help some businesses that have their laptops joined as well as would also like to have the option to join their Server for their line of business apps etc.
Seems really strange you can have win11 AAD joined but not server 2025.
Or am i just missing something here. Having to use Azure Arc comes with extra headaches and costs.
Hi, Brent here from the Windows Server team. Can I ask you to elaborate a bit more on how you would use Entra ID device join on Windows Servers? When is it most painful to be missing this capability? Servers in the cloud, Servers at the edge, in your datacenter? Would you use this with traditional AD or no? Would this be most convenient for configuring and deploying, or troubleshooting, or other tasks? You mention accessing corporate resources from the Server, would to know more about this. Thanks!
13 Replies
Not sure if this reply will get through on a "solved" answer, but here's a great use case.
Imagine an engineering firm with 50 users needing a lot of local file storage (too expensive and slow to use in the cloud) but the computers are all Entra ID-joined and users log on with their Entra ID. Let's assume no local Active Directory is in place (hybrid with AD and joining computers to Entra ID is incredibly painful; some computers just work, others we have to jump through incredible hoops and registry entries to make it happen).
So setting up a Windows client computer won't work because it's limited to 20 concurrent file share sessions, as well as, managing 50 user accounts on that computer and setting up that credential in Windows Credential Manager just to access file shares on the server is a ton of wasted overhead and management.
Well, why not set up Windows Server in workgroup mode and join it to Entra ID? Then make the file shares, add Entra groups and/or users, and everything would work beautifully?
I'm really missing why Microsoft does not provide this capability that they provide on Windows client.
Or at VERY least, maybe we don't have to actually Entra-join the Windows Server, but add a feature such that user accounts and groups can be pulled from Entra and used on local resources?
Again, fully setting up, hardening, managing local Active Directory AND adding hybrid with AD Connect is a ton of really unnecessary overhead that results in extra IT time and problems.
This kind of functionality works on a Windows client (at least for adding Entra users to local shares), why can't it work on Windows Server?
- Brentfor
Microsoft
Hi, Brent here from the Windows Server team. Can I ask you to elaborate a bit more on how you would use Entra ID device join on Windows Servers? When is it most painful to be missing this capability? Servers in the cloud, Servers at the edge, in your datacenter? Would you use this with traditional AD or no? Would this be most convenient for configuring and deploying, or troubleshooting, or other tasks? You mention accessing corporate resources from the Server, would to know more about this. Thanks!
I think most people want a hybrid solution for many types of applications. Such as NPS/RADIUS, Terminal server, MFA hybrid, file synchronization to SharePoint
- Brentfor
Brentfor you're welcome! thanks for asking
Some ideas:
- Joining Windows Server VMs running on-prem hypervisors / Azure Stack HCI to Entra AD- Entra AD Services (now with new trust directions and migration possibilities
- Use Entra ID as identity instead of Kerberos / or in addition. Recently heard a 3rd party virtualization solution offers MFA for local admins, how cool is that.
- Thinking about local kerberos tickets coming to Windows 11, I suppose Windows Server, too, when DC is not in sight.
Imagine this with Windows Server using Entra, MFA / Conditional Access, PAM / PIM for Windows Server, eventually thinking about Entra Roles which would also automatically predefine PowerShell limited commandlets
- Manage Application Deployment (winget) and (Defender) Security Policies via Intune
- might be even feasible to combine this Azure Policy via Azure Arc- Hi Brent. Not OP I want to add that AAD join and AAD login on Windows Server is a very much wanted feature in our organization. Our primary use case is for servers at the edge outside of Azure. The servers we have in Azure are already AAD joined by the Azure only option of AAD joining a Windows Server. It is most needed so we do not have to maintain additional usernames/passwords on these servers.
- Brentfor
workalotdave Thank you for the feedback. This makes sense. How many user accounts do you typically have to manage for Servers at the edge today? Have you tried Entra ID pass-through and/or AD federation services?
Hi lpmuu Windows Server cannot AAD join. But I can test this for you or you can using settings app.
There's a movement going on that parts of Windows Server might get controlled via Intune through Defender and security policies but that is still in public preview.
Windows Server Core Installation option even does miss the bits and bytes.
Microsoft Azure Arc is free, but it adds a new layer of complexity and security if you want to make it right, just as AAD join would, too. This is because Azure Arc adds the Server to the management plane of Azure Portal and also the control and security plane of Entra ID which is intertwined with your AAD accounts.
I agree with your idea. Please comment and like this older posting of mine.
