Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Benefits to Azure AD registration for Windows 10 clients O365 sign-in - Would you recommend it?

Copper Contributor

Our environment is Office 365 with Azure AD Connect sync of accounts to our native Windows Active Directory.  We use multiple Office 365 services including Office 365 ProPlus.

 

Currently our Windows 10 clients are domain-joined to the Windows AD, but not Azure AD registered.

 

Microsoft seem to be encouraging users to Azure AD register, and we note that the Office ProPlus 1710 encourages this via the "Add this account to Windows?" dialog (below),  It suggests 2 improvments, but I can't find the details.

 

Window can remember {Work/School Account} making it easier to sign in to other apps and web sites?

  1. How specifically is sign in remembered?
  2. To which services/apps/web sites is the remembered sign-in’s applied?
  3. How specifically is sign-in easer?

Clicking Yes below means that you won’t have to enter your password each time?

This implies that before Azure AD join do did have to enter your password ‘each time’. 

  1. Which service/app/web sig-in/password scenario does this refer to?
  2. What does ‘each time’ mean – each time of…..?

 

Has anyone experience of how Azure AD registration and the improvements highlighed.  I can't find any KB articles on this.  

 

Account_Settings - Copy - Copy.png

 

Thanks in advance for any response.

 

Richard

2 Replies
I'd like to know this as well, even though I have, additionally to your settings, enabled ADFS for true SSO.
As far as I know, you'll profit from the possibility to enable user settings roaming and I believe some OMS integration.

@Richard TinkerWay late response, but no, I would highly highly recommend staying away from Azure AD registration as much as possible.  It's basically opening up an enormous security hole and its offensive that this cannot be disabled when you use MDM with Office365.  Even worse they offer no way to clean up stale devices that have been registered except through obscure powershell backend commands.

 

Here's my issue with this "feature":

1. It lets any unmanaged computer that registered in Azure AD unregulated access to Office365 for up to 90 days without requiring any form of authentication.  All they need is a working user account.

2. Because you are registering with a company user account, the login to that unmanaged computer bypasses any password policies your AD domain might have.

 

What we experienced is that Azure AD registered devices can fully access all our Office365 resources, even if the account they are using has an expired password due to the 90 day free-for-all access.  To make matters worse, you are leaving the control up to the user -- admins cannot disable this ridiculous feature if they are using any form of Office365 MDM (Intune or the standard one).  I even opened a support ticket to disable this garbage but got nowhere after being ping-ponged between the Azure and Intune team.

 

So I would block registration if you have that option still available to you.  Whoever thought this was a good idea should be required to sit through a weeks worth of security best practices.  Even if a device is registered in Azure AD, we still have no control over it.  Admins can disable or delete the device, but all this does is require them to reregister and they are good to go again.