Traditionally, the desktop management scenario for most enterprises has been one where all users and devices are located on-site with a direct network connection. That’s been the state of things for years.
But the workplace is changing. More of your users work remotely full-time; some never set foot in your physical facilities. If you do the initial setup for a Windows 10 device on-premises, you start out in control. But if those devices are distributed to your remote workforce, how do you maintain control? How do you make sure user devices are secure and up-to-date while keeping the update process simple and hassle-free?
In short, you implement a modern desktop management strategy.
You can modernize your desktop management processes by extending your local directory to the cloud using Microsoft Azure Active Directory (Azure AD). By connecting remote and on-premises devices—even personally owned devices — to Azure AD you can protect your remote users and their devices much as you would on-premises. In fact, you can use both Azure AD and your on-premises AD together to create a hybrid solution.
This post is designed to provide you with a quick look at the steps you need to take to integrate your on-premises directory with Azure AD. It’s a straightforward process:
If you’re already using Microsoft Azure to host virtual machines (VMs), to store backups, for Azure SQL databases, or if you are already using Office 365, you already have an Azure AD tenant.
There are four main editions of Azure AD:
If you don’t already have Azure AD, go to the Azure Active Directory page to learn about these editions and sign up for a trial.
You can try Azure AD Premium P1 for free if you would like to follow along with the rest of these instructions. Azure AD Premium is also included as part of Microsoft 365, an all-in-one modern desktop solution.
The first thing you’ll need to do is create a new tenant in your organization’s Azure Portal. Once you’ve done that, continue to follow the steps below.
Each Azure AD tenant comes with a default domain name that looks like tenantname.onmicrosoft.com. You can’t change that name, which you probably don’t want to use in real life, so you’ll want to connect your own custom domain name. Just sign in to the Azure Active Directory admin center and select Custom domain names from the menu. Then select Add custom domain and follow the instructions.
To help you and your users know that they’re signing into the correct tenant, it’s a good idea to add your company branding. This will modify the sign-in page for any web applications that depend on Azure AD, such as Office 365. That way you can tell your users to look for your branding as potential way to identify phishing campaigns trying to steal credentials. In the Azure AD admin center, select Company branding from the menu, then select Edit to customize your branding. For more details, visit How to: Add branding to your Azure Active Directory sign-in page.
You’ll also need to make sure your on-premises directory is ready for synchronization with Azure AD. For example, if you subscribe to Office 365, you will want to run IdFix to identify any problematic user accounts that might not synchronize successfully (typically duplicates or with IDs that have formatting problems). You’ll also want to make sure that your directory meets the following requirements:
Downloading and installing Azure AD Connect is probably the simplest part of the process.
Even if you eventually want to enable more advanced features, starting with the express settings enabled is a great way to take advantage of essential capabilities right away. You can always run the wizard again later to enable more advanced features and you can find guidance here for deploying Azure AD in more complex environments.
Of course, having Azure AD synchronizing with your on-premises AD doesn’t get those remote devices under control all by itself. You need to get those devices registered with Azure AD.
The devices joined to your on-premises domain can also be joined to your Azure AD domain (called hybrid Azure AD join). You can configure hybrid Azure AD join through Azure AD Connect.
Just sign into Azure AD Connect, select Configure, and then on the Additional tasks page select Configure device options. After that, follow the instructions in the wizard, selecting Configure Hybrid Azure AD join and the appropriate domain when prompted.
You’ll also need to push a policy to your devices that add the following URLs to the Local Intranet zone in Internet Explorer:
Additionally, you’ll have to enable Allow updates to status bar via script in their local intranet zone. For more details see How to manage devices using the Azure portal.
Once you’ve got devices registered with Azure AD, you’re ready to take more control. You can implement conditional access to resources based on the state or location of your users’ desktops, along with your users’ group membership. You’ll also have insight into what cloud apps they use with Cloud App Discovery, plus greater ability to manage Windows 10 features such as Windows Hello for Business and BitLocker.
Azure Active Directory is just one example of how managing a modern desktop is simpler with Microsoft 365. Along with Azure Active Directory Premium, Microsoft 365 also includes Intune for mobile device and app management as part of Enterprise Mobility + Security (EMS), Office 365 ProPlus, and Windows 10.
For more information about the advantages of modern desktop management, download the e-book Modern management with Windows 10: What’s in it for IT?
Continue the conversation. Find best practices. Bookmark the Windows 10 Tech Community.
Looking for support? Visit the Windows 10 IT pro forums.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.