Windows 10 Deployment on Azure Active Directory & Supporting Users

Brass Contributor

Half of my users are joined to my local domain, and the other half (who don't come in the office) I've joined to Azure Active directory instead.  I would like to eliminate the local AD completely if possible for PCs (not servers).  I have a series of questions related to this senario.  Also, if there is a document that provides a summary overview of how to accomplish the items below, please send me a link.  

 

  1. Is okay to join a new Windows 10 machine to Azure AD with an Azure admin account and have that account be the local machine's admin?  I want to eliminate a PC's local admin altogether if possible, and then only use and Azure admin for the local account.   Also, anyone who might be an Azure AD admin could login to the machine could act as admin on the machine, even if the first Azure admin on that machine was no longer active.  Is all of the above correct?  
  2. What is the difference between InTune and Premium AD?  Which is best for supporting my users if I am no longer using a local AD?  I unclear on which of these products would be best.
  3. Does Microsoft offer a product like Logmein that allows me to support end-users and remote control their machines? 
6 Replies

Hi Thomas, Great to hear that you are joining some of your devices to Azure AD. Answers to your questions below:

1. Yes, what you say is possible. However, you can use Windows 10 Autopilot to AAD join your devices and also designate that the first user should be a standard user. So you can now make sure the user is a std user. You are right that all AAD tenant admins are added as local admins to the PC. But this is a configurable setting in Azure AD. you could change the users that are added as admins. 

2. Intune is the management tool from Microsoft that uses MDM to manage devices from the cloud. Azure AD premium is the premium version of the Microsoft identity offering. Intune depends on Azure AD for identity. So think of Azure AD as the identity plane on which Intune is built on. You will need Azure AD premium if you would like to auto enroll into Intune as part of AAD join and use Autopilot

3. Microsoft doesnt yet have a product exactly for this E2E but Remote desktop and Skype are tools that many of our customers use. Also SCCM has remote control support and we are working with many ISVs by providing the right APIs to help them build a remote assistance tool.

 

Feel free to post back a clarification or question if there are further qeuestions.

 

Thanks,

Janani

Hi Janani,

 

Okay, great.  I just want to confirm a specific point pertaining to item #1 in my previous message.  If I take a new Windows 10 device and select the option "the PC belongs to my organization," and log into that machine for the first time with my Azure AD admin account, am I now the local admin on that machine?  Also, can any other Azure AD admin log into that machine and be the admin?  And, finally, any other user who is on the domain will now be able to login to the machine, but they won't be an admin, correct?

 

Thanks,

Thomas

Yes, you are right on all counts.

1. First user will be an admin without Autopilot

2. any Azure AD admin can logon and be an admin 

3. Any AAD user can login to the machien but will not be an admin

 

Thanks!

If you have a link for more info on Autopilot, I'll take it.

 

Thanks for the answers, and have a great day!

More info on Windows Autopilot..

https://docs.microsoft.com/en- us/windows/deployment/windows-10-auto-pilot