Azure AD Conditional Access - Require Domain Joined Device

Copper Contributor

Can someone help me with this scenario;

We are planning to move from on premise AD to Azure AD.

All colleagues have an Office 365 E3 account and will have added their Office 365 account to their device for Single Sign On and device registration.

What are the next steps and what happens to the user profile?

Disconnect from AD?

How can I get the logon screen after starting the device to log on as an Office 365 user?

Are the user profiles lost?

Is everybody still a member of the local administrators group as they where when AD joined?

Is the way to go Windows ICD?

I know a lot of questions, but I hope someone can help me or guide me to a good resource.

Thanks a lot in advance! 

2 Replies
From looking at your post I would setup an Intune environment with the settings and policies you want for your Windows 10 devices. Setup conditional access so you can restrict access if the machine does not meet your requirements it does not access your resources. Once that is setup get a new build machine, i.e. off the shelf and just set it up off the domain with a local username and password, kind of like you would a home computer. Once you have got that done enrol the device into Intune, this should also Azure domain join/register (not sure on this week’s terminology) the device, your policies should apply, then you should be able to use your office 365 environment. Obviously this is very high level and you will need to do a lot of work to figure out the exact settings and obviously test it touchhole before rolling out to end users, also make sure you document as much as you can for the setup processes, so that your support team has minimal work and you have minimal escalations.

Richard,

Firstly Azure AD is not the same as your on-premise AD. Microsoft offers Azure AD Domain Services to manage Azure AD and allows you to be able to join Azure VMs to Azure AD. Please note it does not allow you to join your on-premise servers and devices to join Azure AD. You may want to watch my you tube video for better understanding at,

https://www.youtube.com/watch?v=jpT1MxEkEzI

 

Secondly you may join your Windows 10 Devices to Azure AD. You can accomplish it to your already domain joined devices. Therefore your devices can be joined to both Azure AD as well as on-premise AD. If you are using ADFS, it needs a Power Shell command to make necessary changes to your on-premise AD Schema.

As Azure AD is not replacing on-premise AD at least for now, you may want to keep your on-prem AD and but take advantages of Azure AD.

If you decide to go this route, then your questions around users' profile and administrators membership are no more a question?  

Demystifying Microsoft Security https://www.youtube.com/watch?v=qPJ-1_rPdOg&t=36s Azure Multi Factor Authentication https://www.youtube.com/watch?v=dA8N0gh-GCk&t=979s Azure B2B for On-Prem SharePoint External Users Access https://www.youtube.com/watch?v=WRnCBYaPQhs&t=5s Phishing Email Attacks and