SOLVED
Home

Azure AD Join via Office 365 installation!?

%3CLINGO-SUB%20id%3D%22lingo-sub-751668%22%20slang%3D%22en-US%22%3EAzure%20AD%20Join%20via%20Office%20365%20installation!%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-751668%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20company%20i%20manage%20Intune%20for%2C%20states%20that%20when%20installing%20office%20365%20on%20their%20private%20device%20and%20they%20sign%20in%20to%20it%2C%20they%20join%20Azure%20AD.%20I've%20checked%20my%20devices%20in%20intune%20and%20this%20is%20really%20the%20case...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20found%20out%20that%20Automatic%20Enrollment%20was%20set%20to%20All%20users.%3C%2FP%3E%3CP%3EHow%20can%20i%20prevent%20users%20for%20not%20Azure%20AD%20joining%20via%20an%20Office%20365%20installation%20or%20Private%20device%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-751668%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-755476%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Join%20via%20Office%20365%20installation!%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-755476%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F286656%22%20target%3D%22_blank%22%3E%40Abdelhakim_Y95%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eactually%20the%20device%20does%20not%20Azure%20AD%20join%2C%20it%20gets%20Azure%20AD%20registered.%20This%20is%20a%20slight%20difference%20as%20you%20still%20logon%20via%20your%20user%20you%20used%20before.%20With%20Azure%20AD%20join%20you%20would%20logon%20after%20Azure%20AD%20join%20with%20the%20Azure%20AD%20user%20afterwards.%20Regarding%20your%20concern%20about%20private%20devices%2C%20this%20would%20be%20the%20same.%20I%20assume%20you%20won't%20like%20to%20have%20private%20devices%20managed%20by%20Intune.%20As%20soon%20as%20they%20get%20registered%20(aka%20Workplace%20Join)%20they%20receive%20Intune%20policies%20for%20example.%20With%20auto%20enrollment%20an%20Azure%20AD%20register%20will%20end%20up%20in%20a%20device%20MDM%20managed%20by%20Intune.%20If%20we%20talk%20about%20Windows%2010%20you%20could%20easily%20prevent%20Azure%20AD%20join%20via%3A%3C%2FP%3E%0A%3CP%3Edevice%20enrollment%20%26gt%3B%20enrollment%20restrictions%20%26gt%3B%20device%20type%20restriction%20%26gt%3B%20new%20policy%20%26gt%3B%20Properties%20%26gt%3B%20configure%20platforms%20%26gt%3B%20Windows%20(MDM)%20set%20to%20%22Personally%20Owened%22%20%26gt%3B%20Block%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CU%3EThis%20will%20only%20allow%20Windows%20Autopilot%20devices%20to%20enroll%20into%20MDM%20and%20block%20personal%20devices%3C%2FU%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F123319i3A53995BDA845EB5%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22SNAG-0004.png%22%20title%3D%22SNAG-0004.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3Esee%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fenrollment-restrictions-set%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fenrollment-restrictions-set%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22blocking-personal-windows-devices%22%20class%3D%22%22%20id%3D%22toc-hId-1595866781%22%20id%3D%22toc-hId-1595866781%22%3EBlocking%20personal%20Windows%20devices%3C%2FH3%3E%0A%3CP%3EIf%20you%20block%20personally%20owned%20Windows%20devices%20from%20enrollment%2C%20Intune%20checks%20to%20make%20sure%20that%20each%20new%20Windows%20enrollment%20request%20has%20been%20authorized%20as%20a%20corporate%20enrollment.%20Unauthorized%20enrollments%20will%20be%20blocked.%3C%2FP%3E%0A%3CP%3EThe%20following%20methods%20qualify%20as%20being%20authorized%20as%20a%20Windows%20corporate%20enrollment%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EThe%20enrolling%20user%20is%20using%20a%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fdevice-enrollment-manager-enroll%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-linktype%3D%22relative-path%22%3Edevice%20enrollment%20manager%20account%3C%2FA%3E.%3C%2FLI%3E%0A%3CLI%3EThe%20device%20enrolls%20through%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fenrollment-autopilot%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-linktype%3D%22relative-path%22%3EWindows%20AutoPilot%3C%2FA%3E.%3C%2FLI%3E%0A%3CLI%3EThe%20device%20is%20registered%20with%20Windows%20Autopilot%20but%20isn't%20an%20MDM%20enrollment%20only%20option%20from%20Windows%20Settings.%3C%2FLI%3E%0A%3CLI%3EThe%20device%E2%80%99s%20IMEI%20number%20is%20listed%20in%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3EDevice%20enrollment%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%26gt%3B%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fcorporate-identifiers-add%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-linktype%3D%22relative-path%22%3ECorporate%20device%20identifiers%3C%2FA%3E%3C%2FSTRONG%3E.%20(Not%20supported%20for%20Windows%20Phone%208.1.)%3C%2FLI%3E%0A%3CLI%3EThe%20device%20enrolls%20through%20a%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fwindows-bulk-enroll%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-linktype%3D%22relative-path%22%3Ebulk%20provisioning%20package%3C%2FA%3E.%3C%2FLI%3E%0A%3CLI%3EThe%20device%20enrolls%20through%20GPO%2C%20or%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fsccm%2Fcomanage%2Fquickstart-paths%23bkmk_path1%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-linktype%3D%22external%22%3Eautomatic%20enrollment%20from%20SCCM%20for%20co-management%3C%2FA%3E.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EThe%20following%20enrollments%20are%20marked%20as%20corporate%20by%20Intune.%20But%20since%20they%20don't%20offer%20the%20Intune%20administrator%20per-device%20control%2C%20they'll%20be%20blocked%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fwindows-enroll%23enable-windows-10-automatic-enrollment%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-linktype%3D%22relative-path%22%3EAutomatic%20MDM%20enrollment%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ewith%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Factive-directory%2Fdevice-management-azuread-joined-devices-frx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-linktype%3D%22external%22%3EAzure%20Active%20Directory%20join%20during%20Windows%20setup%3C%2FA%3E*.%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fwindows-enroll%23enable-windows-10-automatic-enrollment%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-linktype%3D%22relative-path%22%3EAutomatic%20MDM%20enrollment%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ewith%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Factive-directory%2Fuser-help%2Fuser-help-register-device-on-network%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-linktype%3D%22external%22%3EAzure%20Active%20Directory%20join%20from%20Windows%20Settings%3C%2FA%3E*.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EThe%20following%20personal%20enrollment%20methods%20will%20also%20be%20blocked%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fwindows-enroll%23enable-windows-10-automatic-enrollment%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-linktype%3D%22relative-path%22%3EAutomatic%20MDM%20enrollment%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ewith%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Factive-directory%2Fuser-help%2Fuser-help-join-device-on-network%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-linktype%3D%22external%22%3EAdd%20Work%20Account%20from%20Windows%20Settings%3C%2FA%3E*.%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fwindows%2Fclient-management%2Fmdm%2Fmdm-enrollment-of-windows-devices%23connecting-personally-owned-devices-bring-your-own-device%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-linktype%3D%22external%22%3EMDM%20enrollment%20only%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eoption%20from%20Windows%20Settings.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E*%20These%20won't%20be%20blocked%20if%20registered%20with%20Autopilot.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ebest%2C%3C%2FP%3E%0A%3CP%3EOliver%3C%2FP%3E%3C%2FLINGO-BODY%3E
Abdelhakim_Y95
Occasional Contributor

Hi All,

 

The company i manage Intune for, states that when installing office 365 on their private device and they sign in to it, they join Azure AD. I've checked my devices in intune and this is really the case...

 

I've found out that Automatic Enrollment was set to All users.

How can i prevent users for not Azure AD joining via an Office 365 installation or Private device?

1 Reply
Solution

Hi @Abdelhakim_Y95,

 

actually the device does not Azure AD join, it gets Azure AD registered. This is a slight difference as you still logon via your user you used before. With Azure AD join you would logon after Azure AD join with the Azure AD user afterwards. Regarding your concern about private devices, this would be the same. I assume you won't like to have private devices managed by Intune. As soon as they get registered (aka Workplace Join) they receive Intune policies for example. With auto enrollment an Azure AD register will end up in a device MDM managed by Intune. If we talk about Windows 10 you could easily prevent Azure AD join via:

device enrollment > enrollment restrictions > device type restriction > new policy > Properties > configure platforms > Windows (MDM) set to "Personally Owened" > Block

 

This will only allow Windows Autopilot devices to enroll into MDM and block personal devices

 

SNAG-0004.png

see: https://docs.microsoft.com/en-us/intune/enrollment-restrictions-set

 

Blocking personal Windows devices

If you block personally owned Windows devices from enrollment, Intune checks to make sure that each new Windows enrollment request has been authorized as a corporate enrollment. Unauthorized enrollments will be blocked.

The following methods qualify as being authorized as a Windows corporate enrollment:

The following enrollments are marked as corporate by Intune. But since they don't offer the Intune administrator per-device control, they'll be blocked:

The following personal enrollment methods will also be blocked:

* These won't be blocked if registered with Autopilot.

 

best,

Oliver

Related Conversations
Extentions Synchronization
Deleted in Discussions on
3 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
36 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies