SOLVED
Home

Azure AD Conditional Access - Require Domain Joined Device

%3CLINGO-SUB%20id%3D%22lingo-sub-88021%22%20slang%3D%22en-US%22%3EAzure%20AD%20Conditional%20Access%20-%20Require%20Domain%20Joined%20Device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-88021%22%20slang%3D%22en-US%22%3E%3CP%3EDoes%20the%20%E2%80%98Domain%20Join%E2%80%99%20checkbox%20in%20Azure%20AD%20Conditional%20Access%20require%20Azure%20AD%20Domain%20join%2C%20or%20does%20it%20mean%20on-premises%20Domain%20Join%3F%20The%20attached%20screen%20shot%20says%20%E2%80%98Not%20Azure%20AD%20Domain%20Join%E2%80%99%20but%20the%20documentation%20shown%20in%20the%20screen%20shot%20seems%20to%20contradict%20this.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F17321iE76E3E742DF64A25%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22contradiction.jpg%22%20title%3D%22contradiction.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-88021%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EEMS%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-325467%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Conditional%20Access%20-%20Require%20Domain%20Joined%20Device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-325467%22%20slang%3D%22en-US%22%3E%3CH1%20id%3D%22toc-hId-480811662%22%20id%3D%22toc-hId-1903067907%22%3Ewith%20Pass-through%20Authentication%20what%20is%20work%20fllow%20for%20join%20machine%20in%20domain%26nbsp%3B%3C%2FH1%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-262350%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Conditional%20Access%20-%20Require%20Domain%20Joined%20Device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-262350%22%20slang%3D%22en-US%22%3Eat%20the%20bottom%20of%20my%20long%20blog%20post%2C%20you'll%20find%20a%20troubleshooting%20section%20along%20with%20links%20to%20other%20helpful%20resources.%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-262347%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Conditional%20Access%20-%20Require%20Domain%20Joined%20Device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-262347%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Joe%2C%3C%2FP%3E%3CP%3EAll%20my%20devices%20are%20in%20my%20on-premise%20domain%20but%20lot's%20of%20them%20appear%20for%20me%20as%20%22Azure%20AD%20registered%22%3C%2FP%3E%3CP%3EAnd%20in%20this%20way%20I%20cant%20use%20a%20conditional%20access%20because%20the%20devices%20are%20not%20%3CSTRONG%3ECompliant%2C%26nbsp%3B%3C%2FSTRONG%3Ewhat%20i'm%20doing%20wrong%20with%20the%20devices%20in%20my%20domain%20that%20they%20appear%20some%20of%20them%20as%20%3CSTRONG%3EAzure%20AD%20registered%3C%2FSTRONG%3E%20and%20another%20devices%20appear%20as%20%3CSTRONG%3EHybrid%20Azure%20ad%20Join%3C%2FSTRONG%3E%20%3F%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20746px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F54489iA6BC80D29E852216%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22devices.png%22%20title%3D%22devices.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-262315%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Conditional%20Access%20-%20Require%20Domain%20Joined%20Device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-262315%22%20slang%3D%22en-US%22%3E%3CP%3EConditional%20Access%20to%20require%20a%20domain%20joined%20device%20requires%20that%20the%20computer%20is%20joined%20to%20the%20on-premises%20Active%20Directory%20domain.%3C%2FP%3E%3CP%3EIn%20other%20words%2C%20just%20registering%20a%20machine%20to%20Azure%20AD%20is%20not%20enough%2C%20the%20minimum%20requirement%20is%20that%20the%20computer%20must%20be%20joined%20to%20the%20on-premises%20domain.%3C%2FP%3E%3CP%3EI%20tested%20out%20each%20possible%20scenario%20in%20my%20lab%20and%20I%20posted%20the%20results%20on%20my%20blog%20site%20here%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22http%3A%2F%2Fwww.thecloudtechnologist.com%2Fazure-ad-premium-conditional-access-for-domain-joined-machines%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fwww.thecloudtechnologist.com%2Fazure-ad-premium-conditional-access-for-domain-joined-machines%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-262300%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Conditional%20Access%20-%20Require%20Domain%20Joined%20Device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-262300%22%20slang%3D%22en-US%22%3E%3CP%3EI%20don't%20understand%20how%20can%20I%20manage%20devices%20if%20some%20user%20in%20my%20organization%20have%20one%20company%20device%20as%26nbsp%3BHybrid%20Azure%20AD%20joined%20and%20another%20byod%20device%20as%20Azure%20AD%20registered.%3C%2FP%3E%3CP%3EWich%20way%20I%20can%20use%20a%20condicional%20access%20rule%20to%20control%20access%20in%20both%20devices%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-188961%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Conditional%20Access%20-%20Require%20Domain%20Joined%20Device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-188961%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20you're%20registering%20devices%2C%20then%20yes%20though%20in%20my%20experience%20if%20you're%20Hybrid%20AAD%20Joining%20then%20a%20user%20object%20won't%20get%20associated%20with%20a%20device%20object%20which%20I%20found%20strange.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-188934%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Conditional%20Access%20-%20Require%20Domain%20Joined%20Device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-188934%22%20slang%3D%22en-US%22%3EOne%20additional%20question%3A%3CBR%20%2F%3EWhat%20about%20shared%20workstations%20for%20shift%20workers%3F%20Will%20the%20same%20device%20be%20registered%20in%20Azure%20AD%20for%20every%20user%20individually%20after%20sign-on%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-188865%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Conditional%20Access%20-%20Require%20Domain%20Joined%20Device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-188865%22%20slang%3D%22en-US%22%3EYou%20are%20right.%3CBR%20%2F%3EAlso%2C%20as%20far%20as%20I%20know%2C%20the%20Intune%20enrollment%20on%20Windows%207%20requires%20some%20user%20interaction%20and%20cannot%20be%20done%20during%20sign-on.%20Well%2C%20automatic%20MDM%20enrollment%20can%20be%20set%20up%20in%20Azure%2C%20but%20the%20workplace%20join%20has%20to%20be%20initiated%20by%20the%20user%20at%20some%20point.%20I%20am%20not%20familiar%20with%20a%20way%20where%20the%20user%20doesn't%20have%20to%20enter%20his%20email%20address%20and%20password%20to%20join%20Azure.%20Also%20within%20Autopilot%20the%20user%20has%20to%20enter%20the%20credentials%20at%20this%20point.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-188863%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Conditional%20Access%20-%20Require%20Domain%20Joined%20Device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-188863%22%20slang%3D%22en-US%22%3E%3CP%3ENot%20really%2C%20though%20from%20memory%20you%20can%20enroll%20Windows%207%20devices%20into%20Intune%2C%20which%20would%20implicitly%20register%20them.%20Though%20if%20you're%20going%20to%20go%20through%20that%2C%20you%20may%20as%20well%20set%20up%20Hybrid%20AAD%20Join.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-188861%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Conditional%20Access%20-%20Require%20Domain%20Joined%20Device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-188861%22%20slang%3D%22en-US%22%3EHey%20Dan%2C%3CBR%20%2F%3E%3CBR%20%2F%3Einteresting.%20So%20simple%20Azure%20AD%20registration%20is%20enough%20to%20enforce%20a%20conditional%20access%20policy%3F%3CBR%20%2F%3EBut%20there%20is%20no%20similar%20simple%20way%20for%20Windows%207%2C%20right%3F%3CBR%20%2F%3E%3CBR%20%2F%3EThanks.%3CBR%20%2F%3E-John%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-188006%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Conditional%20Access%20-%20Require%20Domain%20Joined%20Device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-188006%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Joe%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20had%20a%20similar%20question%2C%20and%20received%20similar%20answers.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20you're%20probably%20looking%20for%20however%20is%20this%3A%3C%2FP%3E%3CP%3EThat%20condition%20specifically%20means%20local%20domain-joined%2C%20however%20if%20the%20device%20(I'll%20assume%20Windows%2010)%20isn't%20at%20a%20minimum%20Azure%20AD%20Registered%2C%20then%20Azure%20Conditional%20Access%20can't%20interpret%20the%26nbsp%3B%20device%20as%20being%20locally%20domain-joined.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20in%20order%20to%20use%20that%20function%2C%20you%20need%20to%20make%20sure%20that%20your%20devices%20are%20registered%20in%20Azure%20AD%20-%20despite%20the%20fact%20that%20the%20documentation%20says%20the%20requirement%20is%20Hybrid%20Azure%20AD%20Joined%2C%20I've%20found%20that%20simply%20registering%20is%20enough.%20Though%20to%20be%20fair%2C%20you%20really%20should%20implement%20Hybrid%20Azure%20AD%20Join%2C%20because%20asking%20your%20users%20to%20go%20forth%20and%20register%20their%20devices%20in%20Azure%20AD%20themselves%20will%20likely%20lead%20to%20a%20whole%20heap%20of%20calls%20to%20the%20Service%20Desk%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20it%20helps%2C%3C%2FP%3E%3CP%3EDan%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-186773%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Conditional%20Access%20-%20Require%20Domain%20Joined%20Device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-186773%22%20slang%3D%22en-US%22%3E%3CP%3EEver%20since%20we%20enabled%20hybrid%20for%20our%20company%20issued%20computers%2C%20its%20been%20working%20really%20well%20for%20us.%20This%20is%20very%20much%20useful%20specially%20when%20you%20exempt%20Hybrid%20Azure%20AD%20joined%20devices%20from%20your%20Conditional%20Access%20Policy%20in%20Intune%20MDM%2FAzure%20AD.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-186651%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Conditional%20Access%20-%20Require%20Domain%20Joined%20Device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-186651%22%20slang%3D%22en-US%22%3EI've%20deployed%20it%20a%20few%20different%20companies%2C%20and%20it%20has%20gone%20pretty%20well.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-186397%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Conditional%20Access%20-%20Require%20Domain%20Joined%20Device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-186397%22%20slang%3D%22en-US%22%3E%3CP%3EHas%20anyone%20tried%20the%20Hybrid%20domain%20join%20implementation%3F%20Any%20negative%20experiences%3F%20Advantages%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-129195%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Conditional%20Access%20-%20Require%20Domain%20Joined%20Device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-129195%22%20slang%3D%22en-US%22%3E%3CP%3EI%20agree%2C%20it%20is%20more%20clear%20now.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-128855%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Conditional%20Access%20-%20Require%20Domain%20Joined%20Device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-128855%22%20slang%3D%22en-US%22%3E%3CP%3EI%20think%20they%20have%20finally%20updated%20the%20Grant%20control%20in%20the%20conditional%20access%20policy%20to%20make%20it%20clearer.%20The%20desired%20conditional%20access%20policy%20will%20only%20work%20if%20the%20device%20is%20Hybrid%20Azure%20AD%20joined.%20Meaning%20that%20the%20domain%20joined%20device%20is%20also%20Azure%20AD%20joined%20(not%20registered%20but%20joined).%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20think%20this%20article%20would%20help%20in%20configuring%20Hybrid%20Azure%20AD%20joined%20devices.%3C%2FP%3E%3CP%3E%3CA%20title%3D%22How%20to%20configure%20Hybrid%20Azure%20AD%20Joined%20devices%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevice-management-hybrid-azuread-joined-devices-setup%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EHow%20to%20configure%20Hybrid%20Azure%20AD%20Joined%20devices%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20style%3D%22width%3A%20199px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F24415i1C545500E574BEBC%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22Capture.PNG%22%20title%3D%22Capture.PNG%22%20%2F%3E%3C%2FSPAN%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-114613%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Conditional%20Access%20-%20Require%20Domain%20Joined%20Device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-114613%22%20slang%3D%22en-US%22%3E%3CP%3EFor%20the%20first%20criteria%2C%20you%20would%20configure%20Azure%20AD's%20Device%20Settings%20to%20select%20only%20the%20IT%20users%20for%20the%20setting%20%22Users%20may%20join%20devices%20to%20Azure%20AD%22%3C%2FP%3E%3CP%3EFor%20your%20second%20criteria%2C%20I%20recommend%20you%20configure%20conditional%20access%20based%20on%20Intune%20enrollment%20since%20as%20previously%20discussed%2C%20you%20do%20not%20meet%20requirements%20to%20perform%20domain%20join%20checking%20since%20these%20are%20not%20hybrid%20domain%20joined%20machines%20against%20on-prem%20AD.%20Per%20your%20request%20for%20documentation%2C%20I%20would%20advise%20that%20you%20review%20the%20following%20two%20articles%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fclient-management%2Fmdm%2Fazure-active-directory-integration-with-mdm%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fclient-management%2Fmdm%2Fazure-active-directory-integration-with-mdm%3C%2FA%3E%3C%2FP%3E%3CP%3Eand%20then%20in%20the%20next%20article%2C%26nbsp%3Brefer%20to%20the%26nbsp%3Bsection%20%22require%20device%20to%20be%20marked%20as%20compliant%22%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-conditional-access-controls%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-conditional-access-controls%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20841px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F21805iF9B1FBACEB67DE0E%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22delegated%20Azure%20AD%20Join.jpg%22%20title%3D%22delegated%20Azure%20AD%20Join.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-114492%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Conditional%20Access%20-%20Require%20Domain%20Joined%20Device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-114492%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Joe%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20for%20the%20response.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOption%20of%20NAT%20wouldn't%20work%20as%20there%20are%20mobile%20workers.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20you%20guide%20me%20more%20on%20enorllment%2C%20point%20to%20some%20documentation%20may%20be.%20Below%20is%20what%20should%20work%20if%20we%20can%20do%20with%20enrollment%2Fcompliance%20policy.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20Restrict%20that%20only%20IT%20can%20enroll%20the%20devices.%3C%2FP%3E%3CP%3E2.%20Use%20a%20compliance%20policy%20that%20allows%20access%20only%20on%20enrolled%20devices.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-114287%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Conditional%20Access%20-%20Require%20Domain%20Joined%20Device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-114287%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20conditional%20access%20policy%20that%20checks%20for%20domain%20join%20membership%20of%20a%20machine%20is%20referring%20to%20on-premises%20AD%2C%20so%20if%20you%20do%20not%20have%20on-prem%20AD%20then%20you'll%20need%20to%20use%20other%20conditional%20access%20choices%20to%20achieve%20your%20goals.%3C%2FP%3E%3CP%3EOne%20idea%20would%20be%20to%20enroll%20your%20IT%20computers%20in%20Intune%20and%20then%20use%20a%20compliance%20policy%20that%20checks%20for%20device%20'health'%20(which%20relies%20on%20intune%20enrollment).%3C%2FP%3E%3CP%3EAnother%20idea%20would%20be%20to%20put%20your%20IT%20computers%20behind%20a%20NAT%20that%20can%20be%20used%20for%20conditional%20access%20checking%20based%20on%20the%20external%20IP%20address%20of%20that%20NAT.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-114120%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Conditional%20Access%20-%20Require%20Domain%20Joined%20Device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-114120%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20you%20please%20elaborate%20further.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20following%20requirement.%3C%2FP%3E%3CP%3EOnly%20the%20devices%20issued%20by%20IT%20departmernt%20should%20be%20able%20to%20access%20SharePoint%20Online.%20How%20can%20I%20acheive%20this%20using%20conditional%20or%20compliance%20policies%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20don't%20have%20on%20prem%20AD.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-89339%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Conditional%20Access%20-%20Require%20Domain%20Joined%20Device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-89339%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F161%22%20target%3D%22_blank%22%3E%40Loryan%20Strant%3C%2FA%3E%26nbsp%3BI%20just%20finished%20creating%20a%20lab%20to%20test%20this%20all%20out%20and%20while%20I%20was%20able%20to%20get%20Windows%207%20to%20work%20with%20the%20conditional%20access%20setting%20%22require%20domain%20joined%20device%22%2C%20I%20could%20not%20get%20it%20to%20work%20with%20Windows%2010%20which%20ironically%20should%20have%20been%20easier.%20Can%20you%20review%20my%20blog%20and%20let%20me%20know%20what%20I%20am%20missing%3F%26nbsp%3B%3CA%20href%3D%22http%3A%2F%2Fwww.thecloudtechnologist.com%2Fazure-ad-premium-conditional-access-for-domain-joined-machines%2F%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fwww.thecloudtechnologist.com%2Fazure-ad-premium-conditional-access-for-domain-joined-machines%2F%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-88348%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Conditional%20Access%20-%20Require%20Domain%20Joined%20Device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-88348%22%20slang%3D%22en-US%22%3E%3CP%3EAn%20Azure%20AD%20joined%20machines%20will%20work%20with%20conditional%20access.%20You%20will%20just%20need%20to%26nbsp%3Buse%20the%20value%20of%20%22Require%20device%20to%20be%20marked%20as%20compliant%22%20This%20requires%20the%20device%20to%20be%20managed%20through%20Intune%20however%20and%20does%20not%20allow%20you%20to%20use%20only%20Azure%20AD%20joined%20machines%26nbsp%3Bthat%20are%20not%20managed.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-88188%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Conditional%20Access%20-%20Require%20Domain%20Joined%20Device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-88188%22%20slang%3D%22en-US%22%3ESo%20if%20a%20machine%20is%20not%20joined%20to%20on-prem%20AD%20and%20it%20is%20only%20joined%20to%20Azure%20AD%2C%20you're%20saying%20conditional%20access%20won't%20work%3F%20Why%20doesn't%20the%20documentation%20list%20the%20requirement%20of%20being%20on-prem%20AD%20joined%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-88028%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Conditional%20Access%20-%20Require%20Domain%20Joined%20Device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-88028%22%20slang%3D%22en-US%22%3ECorrect%2C%20that%20would%20be%20on-prem%20AD%20domain-join.%3CBR%20%2F%3EWhy%20it's%20confusing%20is%20because%20it's%20possible%20to%20have%20on-prem%20AD%20domain-joined%20PCs%20automatically%20register%20and%20enroll%20with%20Azure%20AD.%3C%2FLINGO-BODY%3E
Frequent Contributor

Does the ‘Domain Join’ checkbox in Azure AD Conditional Access require Azure AD Domain join, or does it mean on-premises Domain Join? The attached screen shot says ‘Not Azure AD Domain Join’ but the documentation shown in the screen shot seems to contradict this.

contradiction.jpg

24 Replies
Solution
Correct, that would be on-prem AD domain-join.
Why it's confusing is because it's possible to have on-prem AD domain-joined PCs automatically register and enroll with Azure AD.
So if a machine is not joined to on-prem AD and it is only joined to Azure AD, you're saying conditional access won't work? Why doesn't the documentation list the requirement of being on-prem AD joined?

An Azure AD joined machines will work with conditional access. You will just need to use the value of "Require device to be marked as compliant" This requires the device to be managed through Intune however and does not allow you to use only Azure AD joined machines that are not managed.

@Loryan Strant I just finished creating a lab to test this all out and while I was able to get Windows 7 to work with the conditional access setting "require domain joined device", I could not get it to work with Windows 10 which ironically should have been easier. Can you review my blog and let me know what I am missing? http://www.thecloudtechnologist.com/azure-ad-premium-conditional-access-for-domain-joined-machines/ 

Hi,

 

Can you please elaborate further.

 

We have following requirement.

Only the devices issued by IT departmernt should be able to access SharePoint Online. How can I acheive this using conditional or compliance policies?

 

We don't have on prem AD.

 

Thanks,

The conditional access policy that checks for domain join membership of a machine is referring to on-premises AD, so if you do not have on-prem AD then you'll need to use other conditional access choices to achieve your goals.

One idea would be to enroll your IT computers in Intune and then use a compliance policy that checks for device 'health' (which relies on intune enrollment).

Another idea would be to put your IT computers behind a NAT that can be used for conditional access checking based on the external IP address of that NAT.

Hi Joe,

 

Thank you for the response.

 

Option of NAT wouldn't work as there are mobile workers.

 

Can you guide me more on enorllment, point to some documentation may be. Below is what should work if we can do with enrollment/compliance policy.

 

1. Restrict that only IT can enroll the devices.

2. Use a compliance policy that allows access only on enrolled devices.

 

Thanks,

Highlighted

For the first criteria, you would configure Azure AD's Device Settings to select only the IT users for the setting "Users may join devices to Azure AD"

For your second criteria, I recommend you configure conditional access based on Intune enrollment since as previously discussed, you do not meet requirements to perform domain join checking since these are not hybrid domain joined machines against on-prem AD. Per your request for documentation, I would advise that you review the following two articles:

https://docs.microsoft.com/en-us/windows/client-management/mdm/azure-active-directory-integration-wi...

and then in the next article, refer to the section "require device to be marked as compliant"

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-controls

 

delegated Azure AD Join.jpg

I think they have finally updated the Grant control in the conditional access policy to make it clearer. The desired conditional access policy will only work if the device is Hybrid Azure AD joined. Meaning that the domain joined device is also Azure AD joined (not registered but joined). 

 

I think this article would help in configuring Hybrid Azure AD joined devices.

How to configure Hybrid Azure AD Joined devices

 

Capture.PNG 

I agree, it is more clear now.

Has anyone tried the Hybrid domain join implementation? Any negative experiences? Advantages?

I've deployed it a few different companies, and it has gone pretty well.

Ever since we enabled hybrid for our company issued computers, its been working really well for us. This is very much useful specially when you exempt Hybrid Azure AD joined devices from your Conditional Access Policy in Intune MDM/Azure AD.

Hi Joe,

 

I had a similar question, and received similar answers.

 

What you're probably looking for however is this:

That condition specifically means local domain-joined, however if the device (I'll assume Windows 10) isn't at a minimum Azure AD Registered, then Azure Conditional Access can't interpret the  device as being locally domain-joined. 

 

So in order to use that function, you need to make sure that your devices are registered in Azure AD - despite the fact that the documentation says the requirement is Hybrid Azure AD Joined, I've found that simply registering is enough. Though to be fair, you really should implement Hybrid Azure AD Join, because asking your users to go forth and register their devices in Azure AD themselves will likely lead to a whole heap of calls to the Service Desk :)

 

Hope it helps,

Dan

Hey Dan,

interesting. So simple Azure AD registration is enough to enforce a conditional access policy?
But there is no similar simple way for Windows 7, right?

Thanks.
-John

Not really, though from memory you can enroll Windows 7 devices into Intune, which would implicitly register them. Though if you're going to go through that, you may as well set up Hybrid AAD Join.

You are right.
Also, as far as I know, the Intune enrollment on Windows 7 requires some user interaction and cannot be done during sign-on. Well, automatic MDM enrollment can be set up in Azure, but the workplace join has to be initiated by the user at some point. I am not familiar with a way where the user doesn't have to enter his email address and password to join Azure. Also within Autopilot the user has to enter the credentials at this point.
One additional question:
What about shared workstations for shift workers? Will the same device be registered in Azure AD for every user individually after sign-on?

If you're registering devices, then yes though in my experience if you're Hybrid AAD Joining then a user object won't get associated with a device object which I found strange.

I don't understand how can I manage devices if some user in my organization have one company device as Hybrid Azure AD joined and another byod device as Azure AD registered.

Wich way I can use a condicional access rule to control access in both devices ?

Conditional Access to require a domain joined device requires that the computer is joined to the on-premises Active Directory domain.

In other words, just registering a machine to Azure AD is not enough, the minimum requirement is that the computer must be joined to the on-premises domain.

I tested out each possible scenario in my lab and I posted the results on my blog site here:

http://www.thecloudtechnologist.com/azure-ad-premium-conditional-access-for-domain-joined-machines/

Hi Joe,

All my devices are in my on-premise domain but lot's of them appear for me as "Azure AD registered"

And in this way I cant use a conditional access because the devices are not Compliant, what i'm doing wrong with the devices in my domain that they appear some of them as Azure AD registered and another devices appear as Hybrid Azure ad Join ?

devices.png

at the bottom of my long blog post, you'll find a troubleshooting section along with links to other helpful resources.

with Pass-through Authentication what is work fllow for join machine in domain 

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
48 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
30 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies