SOLVED

Azure AD Conditional Access - Require Domain Joined Device

%3CLINGO-SUB%20id%3D%22lingo-sub-325467%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Conditional%20Access%20-%20Require%20Domain%20Joined%20Device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-325467%22%20slang%3D%22en-US%22%3E%3CH1%20id%3D%22toc-hId-480811662%22%20id%3D%22toc-hId-1903067907%22%20id%3D%22toc-hId-1903067907%22%3Ewith%20Pass-through%20Authentication%20what%20is%20work%20fllow%20for%20join%20machine%20in%20domain%26nbsp%3B%3C%2FH1%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-262350%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Conditional%20Access%20-%20Require%20Domain%20Joined%20Device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-262350%22%20slang%3D%22en-US%22%3Eat%20the%20bottom%20of%20my%20long%20blog%20post%2C%20you'll%20find%20a%20troubleshooting%20section%20along%20with%20links%20to%20other%20helpful%20resources.%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-262347%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Conditional%20Access%20-%20Require%20Domain%20Joined%20Device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-262347%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Joe%2C%3C%2FP%3E%3CP%3EAll%20my%20devices%20are%20in%20my%20on-premise%20domain%20but%20lot's%20of%20them%20appear%20for%20me%20as%20%22Azure%20AD%20registered%22%3C%2FP%3E%3CP%3EAnd%20in%20this%20way%20I%20cant%20use%20a%20conditional%20access%20because%20the%20devices%20are%20not%20%3CSTRONG%3ECompliant%2C%26nbsp%3B%3C%2FSTRONG%3Ewhat%20i'm%20doing%20wrong%20with%20the%20devices%20in%20my%20domain%20that%20they%20appear%20some%20of%20them%20as%20%3CSTRONG%3EAzure%20AD%20registered%3C%2FSTRONG%3E%20and%20another%20devices%20appear%20as%20%3CSTRONG%3EHybrid%20Azure%20ad%20Join%3C%2FSTRONG%3E%20%3F%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20746px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F54489iA6BC80D29E852216%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22devices.png%22%20title%3D%22devices.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-262315%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Conditional%20Access%20-%20Require%20Domain%20Joined%20Device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-262315%22%20slang%3D%22en-US%22%3E%3CP%3EConditional%20Access%20to%20require%20a%20domain%20joined%20device%20requires%20that%20the%20computer%20is%20joined%20to%20the%20on-premises%20Active%20Directory%20domain.%3C%2FP%3E%3CP%3EIn%20other%20words%2C%20just%20registering%20a%20machine%20to%20Azure%20AD%20is%20not%20enough%2C%20the%20minimum%20requirement%20is%20that%20the%20computer%20must%20be%20joined%20to%20the%20on-premises%20domain.%3C%2FP%3E%3CP%3EI%20tested%20out%20each%20possible%20scenario%20in%20my%20lab%20and%20I%20posted%20the%20results%20on%20my%20blog%20site%20here%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22http%3A%2F%2Fwww.thecloudtechnologist.com%2Fazure-ad-premium-conditional-access-for-domain-joined-machines%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fwww.thecloudtechnologist.com%2Fazure-ad-premium-conditional-access-for-domain-joined-machines%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-262300%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Conditional%20Access%20-%20Require%20Domain%20Joined%20Device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-262300%22%20slang%3D%22en-US%22%3E%3CP%3EI%20don't%20understand%20how%20can%20I%20manage%20devices%20if%20some%20user%20in%20my%20organization%20have%20one%20company%20device%20as%26nbsp%3BHybrid%20Azure%20AD%20joined%20and%20another%20byod%20device%20as%20Azure%20AD%20registered.%3C%2FP%3E%3CP%3EWich%20way%20I%20can%20use%20a%20condicional%20access%20rule%20to%20control%20access%20in%20both%20devices%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-188961%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Conditional%20Access%20-%20Require%20Domain%20Joined%20Device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-188961%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20you're%20registering%20devices%2C%20then%20yes%20though%20in%20my%20experience%20if%20you're%20Hybrid%20AAD%20Joining%20then%20a%20user%20object%20won't%20get%20associated%20with%20a%20device%20object%20which%20I%20found%20strange.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-188934%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Conditional%20Access%20-%20Require%20Domain%20Joined%20Device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-188934%22%20slang%3D%22en-US%22%3EOne%20additional%20question%3A%3CBR%20%2F%3EWhat%20about%20shared%20workstations%20for%20shift%20workers%3F%20Will%20the%20same%20device%20be%20registered%20in%20Azure%20AD%20for%20every%20user%20individually%20after%20sign-on%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-188865%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Conditional%20Access%20-%20Require%20Domain%20Joined%20Device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-188865%22%20slang%3D%22en-US%22%3EYou%20are%20right.%3CBR%20%2F%3EAlso%2C%20as%20far%20as%20I%20know%2C%20the%20Intune%20enrollment%20on%20Windows%207%20requires%20some%20user%20interaction%20and%20cannot%20be%20done%20during%20sign-on.%20Well%2C%20automatic%20MDM%20enrollment%20can%20be%20set%20up%20in%20Azure%2C%20but%20the%20workplace%20join%20has%20to%20be%20initiated%20by%20the%20user%20at%20some%20point.%20I%20am%20not%20familiar%20with%20a%20way%20where%20the%20user%20doesn't%20have%20to%20enter%20his%20email%20address%20and%20password%20to%20join%20Azure.%20Also%20within%20Autopilot%20the%20user%20has%20to%20enter%20the%20credentials%20at%20this%20point.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-188863%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Conditional%20Access%20-%20Require%20Domain%20Joined%20Device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-188863%22%20slang%3D%22en-US%22%3E%3CP%3ENot%20really%2C%20though%20from%20memory%20you%20can%20enroll%20Windows%207%20devices%20into%20Intune%2C%20which%20would%20implicitly%20register%20them.%20Though%20if%20you're%20going%20to%20go%20through%20that%2C%20you%20may%20as%20well%20set%20up%20Hybrid%20AAD%20Join.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-188861%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Conditional%20Access%20-%20Require%20Domain%20Joined%20Device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-188861%22%20slang%3D%22en-US%22%3EHey%20Dan%2C%3CBR%20%2F%3E%3CBR%20%2F%3Einteresting.%20So%20simple%20Azure%20AD%20registration%20is%20enough%20to%20enforce%20a%20conditional%20access%20policy%3F%3CBR%20%2F%3EBut%20there%20is%20no%20similar%20simple%20way%20for%20Windows%207%2C%20right%3F%3CBR%20%2F%3E%3CBR%20%2F%3EThanks.%3CBR%20%2F%3E-John%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-188006%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Conditional%20Access%20-%20Require%20Domain%20Joined%20Device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-188006%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Joe%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20had%20a%20similar%20question%2C%20and%20received%20similar%20answers.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20you're%20probably%20looking%20for%20however%20is%20this%3A%3C%2FP%3E%3CP%3EThat%20condition%20specifically%20means%20local%20domain-joined%2C%20however%20if%20the%20device%20(I'll%20assume%20Windows%2010)%20isn't%20at%20a%20minimum%20Azure%20AD%20Registered%2C%20then%20Azure%20Conditional%20Access%20can't%20interpret%20the%26nbsp%3B%20device%20as%20being%20locally%20domain-joined.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20in%20order%20to%20use%20that%20function%2C%20you%20need%20to%20make%20sure%20that%20your%20devices%20are%20registered%20in%20Azure%20AD%20-%20despite%20the%20fact%20that%20the%20documentation%20says%20the%20requirement%20is%20Hybrid%20Azure%20AD%20Joined%2C%20I've%20found%20that%20simply%20registering%20is%20enough.%20Though%20to%20be%20fair%2C%20you%20really%20should%20implement%20Hybrid%20Azure%20AD%20Join%2C%20because%20asking%20your%20users%20to%20go%20forth%20and%20register%20their%20devices%20in%20Azure%20AD%20themselves%20will%20likely%20lead%20to%20a%20whole%20heap%20of%20calls%20to%20the%20Service%20Desk%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20it%20helps%2C%3C%2FP%3E%3CP%3EDan%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-186773%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Conditional%20Access%20-%20Require%20Domain%20Joined%20Device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-186773%22%20slang%3D%22en-US%22%3E%3CP%3EEver%20since%20we%20enabled%20hybrid%20for%20our%20company%20issued%20computers%2C%20its%20been%20working%20really%20well%20for%20us.%20This%20is%20very%20much%20useful%20specially%20when%20you%20exempt%20Hybrid%20Azure%20AD%20joined%20devices%20from%20your%20Conditional%20Access%20Policy%20in%20Intune%20MDM%2FAzure%20AD.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-186651%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Conditional%20Access%20-%20Require%20Domain%20Joined%20Device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-186651%22%20slang%3D%22en-US%22%3EI've%20deployed%20it%20a%20few%20different%20companies%2C%20and%20it%20has%20gone%20pretty%20well.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-186397%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Conditional%20Access%20-%20Require%20Domain%20Joined%20Device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-186397%22%20slang%3D%22en-US%22%3E%3CP%3EHas%20anyone%20tried%20the%20Hybrid%20domain%20join%20implementation%3F%20Any%20negative%20experiences%3F%20Advantages%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-129195%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Conditional%20Access%20-%20Require%20Domain%20Joined%20Device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-129195%22%20slang%3D%22en-US%22%3E%3CP%3EI%20agree%2C%20it%20is%20more%20clear%20now.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-128855%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Conditional%20Access%20-%20Require%20Domain%20Joined%20Device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-128855%22%20slang%3D%22en-US%22%3E%3CP%3EI%20think%20they%20have%20finally%20updated%20the%20Grant%20control%20in%20the%20conditional%20access%20policy%20to%20make%20it%20clearer.%20The%20desired%20conditional%20access%20policy%20will%20only%20work%20if%20the%20device%20is%20Hybrid%20Azure%20AD%20joined.%20Meaning%20that%20the%20domain%20joined%20device%20is%20also%20Azure%20AD%20joined%20(not%20registered%20but%20joined).%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20think%20this%20article%20would%20help%20in%20configuring%20Hybrid%20Azure%20AD%20joined%20devices.%3C%2FP%3E%3CP%3E%3CA%20title%3D%22How%20to%20configure%20Hybrid%20Azure%20AD%20Joined%20devices%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevice-management-hybrid-azuread-joined-devices-setup%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EHow%20to%20configure%20Hybrid%20Azure%20AD%20Joined%20devices%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20style%3D%22width%3A%20199px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F24415i1C545500E574BEBC%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22Capture.PNG%22%20title%3D%22Capture.PNG%22%20%2F%3E%3C%2FSPAN%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-114613%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Conditional%20Access%20-%20Require%20Domain%20Joined%20Device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-114613%22%20slang%3D%22en-US%22%3E%3CP%3EFor%20the%20first%20criteria%2C%20you%20would%20configure%20Azure%20AD's%20Device%20Settings%20to%20select%20only%20the%20IT%20users%20for%20the%20setting%20%22Users%20may%20join%20devices%20to%20Azure%20AD%22%3C%2FP%3E%3CP%3EFor%20your%20second%20criteria%2C%20I%20recommend%20you%20configure%20conditional%20access%20based%20on%20Intune%20enrollment%20since%20as%20previously%20discussed%2C%20you%20do%20not%20meet%20requirements%20to%20perform%20domain%20join%20checking%20since%20these%20are%20not%20hybrid%20domain%20joined%20machines%20against%20on-prem%20AD.%20Per%20your%20request%20for%20documentation%2C%20I%20would%20advise%20that%20you%20review%20the%20following%20two%20articles%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fclient-management%2Fmdm%2Fazure-active-directory-integration-with-mdm%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fclient-management%2Fmdm%2Fazure-active-directory-integration-with-mdm%3C%2FA%3E%3C%2FP%3E%3CP%3Eand%20then%20in%20the%20next%20article%2C%26nbsp%3Brefer%20to%20the%26nbsp%3Bsection%20%22require%20device%20to%20be%20marked%20as%20compliant%22%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-conditional-access-controls%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-conditional-access-controls%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20841px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F21805iF9B1FBACEB67DE0E%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22delegated%20Azure%20AD%20Join.jpg%22%20title%3D%22delegated%20Azure%20AD%20Join.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-114492%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Conditional%20Access%20-%20Require%20Domain%20Joined%20Device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-114492%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Joe%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20for%20the%20response.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOption%20of%20NAT%20wouldn't%20work%20as%20there%20are%20mobile%20workers.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20you%20guide%20me%20more%20on%20enorllment%2C%20point%20to%20some%20documentation%20may%20be.%20Below%20is%20what%20should%20work%20if%20we%20can%20do%20with%20enrollment%2Fcompliance%20policy.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20Restrict%20that%20only%20IT%20can%20enroll%20the%20devices.%3C%2FP%3E%3CP%3E2.%20Use%20a%20compliance%20policy%20that%20allows%20access%20only%20on%20enrolled%20devices.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-114287%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Conditional%20Access%20-%20Require%20Domain%20Joined%20Device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-114287%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20conditional%20access%20policy%20that%20checks%20for%20domain%20join%20membership%20of%20a%20machine%20is%20referring%20to%20on-premises%20AD%2C%20so%20if%20you%20do%20not%20have%20on-prem%20AD%20then%20you'll%20need%20to%20use%20other%20conditional%20access%20choices%20to%20achieve%20your%20goals.%3C%2FP%3E%3CP%3EOne%20idea%20would%20be%20to%20enroll%20your%20IT%20computers%20in%20Intune%20and%20then%20use%20a%20compliance%20policy%20that%20checks%20for%20device%20'health'%20(which%20relies%20on%20intune%20enrollment).%3C%2FP%3E%3CP%3EAnother%20idea%20would%20be%20to%20put%20your%20IT%20computers%20behind%20a%20NAT%20that%20can%20be%20used%20for%20conditional%20access%20checking%20based%20on%20the%20external%20IP%20address%20of%20that%20NAT.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-114120%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Conditional%20Access%20-%20Require%20Domain%20Joined%20Device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-114120%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20you%20please%20elaborate%20further.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20following%20requirement.%3C%2FP%3E%3CP%3EOnly%20the%20devices%20issued%20by%20IT%20departmernt%20should%20be%20able%20to%20access%20SharePoint%20Online.%20How%20can%20I%20acheive%20this%20using%20conditional%20or%20compliance%20policies%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20don't%20have%20on%20prem%20AD.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-89339%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Conditional%20Access%20-%20Require%20Domain%20Joined%20Device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-89339%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F161%22%20target%3D%22_blank%22%3E%40Loryan%20Strant%3C%2FA%3E%26nbsp%3BI%20just%20finished%20creating%20a%20lab%20to%20test%20this%20all%20out%20and%20while%20I%20was%20able%20to%20get%20Windows%207%20to%20work%20with%20the%20conditional%20access%20setting%20%22require%20domain%20joined%20device%22%2C%20I%20could%20not%20get%20it%20to%20work%20with%20Windows%2010%20which%20ironically%20should%20have%20been%20easier.%20Can%20you%20review%20my%20blog%20and%20let%20me%20know%20what%20I%20am%20missing%3F%26nbsp%3B%3CA%20href%3D%22http%3A%2F%2Fwww.thecloudtechnologist.com%2Fazure-ad-premium-conditional-access-for-domain-joined-machines%2F%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fwww.thecloudtechnologist.com%2Fazure-ad-premium-conditional-access-for-domain-joined-machines%2F%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-88348%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Conditional%20Access%20-%20Require%20Domain%20Joined%20Device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-88348%22%20slang%3D%22en-US%22%3E%3CP%3EAn%20Azure%20AD%20joined%20machines%20will%20work%20with%20conditional%20access.%20You%20will%20just%20need%20to%26nbsp%3Buse%20the%20value%20of%20%22Require%20device%20to%20be%20marked%20as%20compliant%22%20This%20requires%20the%20device%20to%20be%20managed%20through%20Intune%20however%20and%20does%20not%20allow%20you%20to%20use%20only%20Azure%20AD%20joined%20machines%26nbsp%3Bthat%20are%20not%20managed.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-88188%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Conditional%20Access%20-%20Require%20Domain%20Joined%20Device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-88188%22%20slang%3D%22en-US%22%3ESo%20if%20a%20machine%20is%20not%20joined%20to%20on-prem%20AD%20and%20it%20is%20only%20joined%20to%20Azure%20AD%2C%20you're%20saying%20conditional%20access%20won't%20work%3F%20Why%20doesn't%20the%20documentation%20list%20the%20requirement%20of%20being%20on-prem%20AD%20joined%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-88028%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Conditional%20Access%20-%20Require%20Domain%20Joined%20Device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-88028%22%20slang%3D%22en-US%22%3ECorrect%2C%20that%20would%20be%20on-prem%20AD%20domain-join.%3CBR%20%2F%3EWhy%20it's%20confusing%20is%20because%20it's%20possible%20to%20have%20on-prem%20AD%20domain-joined%20PCs%20automatically%20register%20and%20enroll%20with%20Azure%20AD.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-88021%22%20slang%3D%22en-US%22%3EAzure%20AD%20Conditional%20Access%20-%20Require%20Domain%20Joined%20Device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-88021%22%20slang%3D%22en-US%22%3E%3CP%3EDoes%20the%20%E2%80%98Domain%20Join%E2%80%99%20checkbox%20in%20Azure%20AD%20Conditional%20Access%20require%20Azure%20AD%20Domain%20join%2C%20or%20does%20it%20mean%20on-premises%20Domain%20Join%3F%20The%20attached%20screen%20shot%20says%20%E2%80%98Not%20Azure%20AD%20Domain%20Join%E2%80%99%20but%20the%20documentation%20shown%20in%20the%20screen%20shot%20seems%20to%20contradict%20this.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22contradiction.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F17321iE76E3E742DF64A25%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22contradiction.jpg%22%20alt%3D%22contradiction.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-88021%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Super Contributor

Does the ‘Domain Join’ checkbox in Azure AD Conditional Access require Azure AD Domain join, or does it mean on-premises Domain Join? The attached screen shot says ‘Not Azure AD Domain Join’ but the documentation shown in the screen shot seems to contradict this.

contradiction.jpg

24 Replies
Highlighted

I don't understand how can I manage devices if some user in my organization have one company device as Hybrid Azure AD joined and another byod device as Azure AD registered.

Wich way I can use a condicional access rule to control access in both devices ?

Highlighted

Conditional Access to require a domain joined device requires that the computer is joined to the on-premises Active Directory domain.

In other words, just registering a machine to Azure AD is not enough, the minimum requirement is that the computer must be joined to the on-premises domain.

I tested out each possible scenario in my lab and I posted the results on my blog site here:

http://www.thecloudtechnologist.com/azure-ad-premium-conditional-access-for-domain-joined-machines/

Highlighted

Hi Joe,

All my devices are in my on-premise domain but lot's of them appear for me as "Azure AD registered"

And in this way I cant use a conditional access because the devices are not Compliant, what i'm doing wrong with the devices in my domain that they appear some of them as Azure AD registered and another devices appear as Hybrid Azure ad Join ?

devices.png

at the bottom of my long blog post, you'll find a troubleshooting section along with links to other helpful resources.
Highlighted

with Pass-through Authentication what is work fllow for join machine in domain