Jul 17 2017
- last edited on
Jan 14 2022
Does the ‘Domain Join’ checkbox in Azure AD Conditional Access require Azure AD Domain join, or does it mean on-premises Domain Join? The attached screen shot says ‘Not Azure AD Domain Join’ but the documentation shown in the screen shot seems to contradict this.
Jul 17 2017 07:28 PMSolution
Jul 18 2017 07:36 AM
Jul 18 2017 02:43 PM
An Azure AD joined machines will work with conditional access. You will just need to use the value of "Require device to be marked as compliant" This requires the device to be managed through Intune however and does not allow you to use only Azure AD joined machines that are not managed.
Jul 22 2017 04:46 AM
@Loryan Strant I just finished creating a lab to test this all out and while I was able to get Windows 7 to work with the conditional access setting "require domain joined device", I could not get it to work with Windows 10 which ironically should have been easier. Can you review my blog and let me know what I am missing? http://www.thecloudtechnologist.com/azure-ad-premium-conditional-access-for-domain-joined-machines/
Oct 06 2017 02:05 AM
Can you please elaborate further.
We have following requirement.
Only the devices issued by IT departmernt should be able to access SharePoint Online. How can I acheive this using conditional or compliance policies?
We don't have on prem AD.
Oct 06 2017 09:40 AM
The conditional access policy that checks for domain join membership of a machine is referring to on-premises AD, so if you do not have on-prem AD then you'll need to use other conditional access choices to achieve your goals.
One idea would be to enroll your IT computers in Intune and then use a compliance policy that checks for device 'health' (which relies on intune enrollment).
Another idea would be to put your IT computers behind a NAT that can be used for conditional access checking based on the external IP address of that NAT.
Oct 07 2017 08:05 AM
Thank you for the response.
Option of NAT wouldn't work as there are mobile workers.
Can you guide me more on enorllment, point to some documentation may be. Below is what should work if we can do with enrollment/compliance policy.
1. Restrict that only IT can enroll the devices.
2. Use a compliance policy that allows access only on enrolled devices.
Oct 08 2017 11:32 PM
For the first criteria, you would configure Azure AD's Device Settings to select only the IT users for the setting "Users may join devices to Azure AD"
For your second criteria, I recommend you configure conditional access based on Intune enrollment since as previously discussed, you do not meet requirements to perform domain join checking since these are not hybrid domain joined machines against on-prem AD. Per your request for documentation, I would advise that you review the following two articles:
and then in the next article, refer to the section "require device to be marked as compliant"
Nov 16 2017 03:11 PM - edited Nov 17 2017 11:33 AM
I think they have finally updated the Grant control in the conditional access policy to make it clearer. The desired conditional access policy will only work if the device is Hybrid Azure AD joined. Meaning that the domain joined device is also Azure AD joined (not registered but joined).
I think this article would help in configuring Hybrid Azure AD joined devices.
Apr 24 2018 08:27 AM
Has anyone tried the Hybrid domain join implementation? Any negative experiences? Advantages?
Apr 25 2018 04:48 AM
Ever since we enabled hybrid for our company issued computers, its been working really well for us. This is very much useful specially when you exempt Hybrid Azure AD joined devices from your Conditional Access Policy in Intune MDM/Azure AD.
Apr 27 2018 04:56 PM
I had a similar question, and received similar answers.
What you're probably looking for however is this:
That condition specifically means local domain-joined, however if the device (I'll assume Windows 10) isn't at a minimum Azure AD Registered, then Azure Conditional Access can't interpret the device as being locally domain-joined.
So in order to use that function, you need to make sure that your devices are registered in Azure AD - despite the fact that the documentation says the requirement is Hybrid Azure AD Joined, I've found that simply registering is enough. Though to be fair, you really should implement Hybrid Azure AD Join, because asking your users to go forth and register their devices in Azure AD themselves will likely lead to a whole heap of calls to the Service Desk :)
Hope it helps,
May 01 2018 12:59 AM
May 01 2018 01:05 AM
Not really, though from memory you can enroll Windows 7 devices into Intune, which would implicitly register them. Though if you're going to go through that, you may as well set up Hybrid AAD Join.
May 01 2018 01:33 AM
May 01 2018 05:13 AM
May 01 2018 06:01 AM
If you're registering devices, then yes though in my experience if you're Hybrid AAD Joining then a user object won't get associated with a device object which I found strange.