Option for Azure AD join

Option for Azure AD join
40

Upvotes

Upvote

 Aug 02 2021
20 Comments (20 New)
In progress

In the provisioning policy, it is only possible to create an OnPrem network. However, it would be good if there is an option to join the cloud PC only in Azure AD.

Comments
Occasional Contributor

In all products you are pushed to use the cloud and than MS releases a product which needs an On-Prem system. Don't really get the idea behind this.

So please MS add this. 

New Contributor

Also PLEASE don't limit this to Enterprise.  Small business users are crying out for AAD as well.

Intention of this post is to write feature request for Microsoft - Windows 365 product , to have option to work with Intune / Endpoint manager, without having to have on-premise infrastructure including without Windows Server Active Directory (aka WSAD or AD), and to be able to work with just with cloud native - Azure Active Directory (aka AzureAD or AAD) only.

 

Any estimation for such a request on roadmap and timeline?

 

Thank you

Established Member

After some testing I've confirmed that Windows 365 Business appears to support Intune.  The device is Azure AD Joined by default.  It will automatically enroll in Intune if you have automatic enrollment setup.  That said, you can tell it wasn't designed with Intune in mind.  The primary user is not setup, the Enrollment Status Page is skipped so apps/policies will deploy 10-30 mins after the user first logs in.  Confirmed you can't expand RAM, CPU, Disk etc... using Windows 365 business.  It is essentially a VM that is enrolled in Intune.

@Justin Kropp can you refer this to documentation? do you still require to have Active directory on-prem for such a setup?

Occasional Contributor

This is definitely needed for Enterprise as many are looking to move to Azure AD only (you need options for all but don't leave Cloud Only out please). Also key for Edu

Established Member

@hkusulja On-prem AD is not required.  No special setup was required outside ensuring the user is licensed for Intune and 'Configure automatic MDM enrollment' is enabled in Intune (see https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-enroll).  You essentially just flip MDM user scope to 'all'.

 

There is a scheduled task on Windows computers that get's triggered when a device is first 'registered' with Azure AD.  The scheduled task enrolls the device into Intune if the user has an Intune license and automatic enrollment is enabled in Intune.  Windows 365 automatically joins/registers the cloud PC with Azure AD thus triggering Intune enrollment. 

 

You can manually emulate the scheduled task by running '%windir%\system32\deviceenroller.exe /c /AutoEnrollMDM' in an elevated command prompt.  You may also stumble across a GPO called ‘Enable automatic MDM enrollment using default Azure AD credentials’.  This essentially runs the command every 5 mins for one day.  Helpful for environments where devices are already registered with Azure AD before you had automatic enrolled setup in Intune.  In my testing, this GPO is required for Hybrid Azure AD environments.

 

You don't need to know any of this for Windows 365 Business in Intune since it's 100% automatic however hoping it provides helpful context on how the Intune enrollment mechanism works.

Regardless, most business will want to wait for the Enterprise 'cloud only' version to be released  due to the lack of control.  The pricing is virtually the same.  See image below for breakdown of differences.

JustinKropp_0-1628285933424.png

 

 

thank you, i agree.

Except, most will want control, so will use Windows 365 Enterprise, but we hope this will not have requirement for having to have Windows Server Active Directory ..., for that we have to use now different SKU - Windows 365 Business.

Established Member

@hkusulja I remember reading that they are planning on releasing a cloud-only version (no on-prem AD requirement) of Windows 365 Enterprise in a few months.  Can't find the link but it was in a blog post and in the comments.

New Contributor

Currently only Windows 365 Business supports Azure AD Join, unfortunately, this has limited management capabilities and is insecure (i.e. all users are granted local admin).

 

Windows 365 Enterprise provides improved management capabilities, unfortunately, it requires Windows AD.

 

Many 100% virtual companies may not have an existing Windows AD.  I'm requesting Windows 365 Enterprise include support for companies that do not have (or want) Windows AD.  When will Azure AD Join be supported for Windows 365 Enterprise?

Status changed to: In progress
 
Status changed to: In progress
 
Status changed to: In progress
 
Microsoft
Status changed to: In progress
 
Microsoft
Status changed to: Duplicate
 
Occasional Contributor

Azure AD join work fine for Business version of Windows 365. in fact for Business users its the only option. nothing to configure or set up. Buy, assign, use. its that simple. You can mix and match Business and enterprise SKUs

New Contributor

I could also really use this. ASAP.

 

Looking to create secure environment within a small bubble for security.

Windows 365, with restricted access to sharepoint/onedrive is a lovely secure little environment, but I don't feel you can do enough customisation with the windows 365 business set up.

 

Regular Visitor

Is there any timeline available when this update will be released. 

Contributor

This would be great. We need this functionality as well. 

Occasional Visitor

Any progress on this?

Similar Ideas
No similar ideas