Howdy folks,
Last November Microsoft announced the availability of the first major update for Windows 10 . Today we're focusing on some of the new the benefits recently added to Azure AD and Windows 10 for domain joined devices.
90%+ of the enterprises have deployed Active Directory. Today there are tens of millions of domain joined devices in the world. I am thrilled with the prospect of these organizations enjoying great value instantly simply by connecting to Azure AD.
As Windows 10 domain joined devices register with Azure AD, both users and IT admins will benefit from new experiences, from enjoying SSO from everywhere, to the ability to have these devices participate in Conditional Access. Windows 10 promises to be the best device to use for work.
This post is written by Jairo Cadena a Senior Program Manager on my team who owns scenarios related to Windows 10 in the enterprise.
As always, we'd love to hear from you, so please let us know what you think!
Best Regards,
Alex Simons (Twitter: @Alex_A_Simons )
Director of Program Management
Microsoft Identity Division
-----------------------
Hello,
I'm Jairo Cadena, one of the PMs working on building Azure AD in Windows 10. I am excited to share with you the new benefits of Domain Join in Windows 10 that you'll get with the latest update of Windows.
In previous posts we have talked about Azure AD Join for work-owned devices and adding an Azure AD account to personal devices (BYOD). In this post I will talk about how the traditional way of providing work-owned devices, Domain Join, has been made better in Windows 10 with Azure AD.
Domain Join and Azure Active Directory
Windows Server Active Directory (AD) is the most widely used corporate directory deployed by over 90% of enterprises in the world. In the last 15+ years, Domain Join has connected millions of computers to Active Directory for secure access to applications and centralized device management via Group Policy. The Integrated Windows Authentication stack (Kerberos/NTLM) gives users single-sign-on (SSO) to on-premises applications and resources like file servers and printers. Azure AD lights up new experiences in Windows 10 AD domain joined devices:- SSO from anywhere including SSO to Azure AD apps from the extranet.
- Enterprise compliant roaming of user settings across joined devices.
- Access to Windows Store for Business using work account.
- Microsoft Passport and Windows Hello for secure and convenient access to work resources.
- Participation in device conditional access control policy.
The registration process is as follows:
- Policy signals domain joined device to start auto-registration with Azure AD.
- Device queries Active Directory to get information about the Azure AD tenant. This data is written by AAD Connect during installation/upgrade.
- Device authenticates itself to Azure AD via AD FS to get a token for registration.
- Device generates keys used in device registration. Besides the key for the device certificate Windows 10 devices registering with Azure AD will have a key used to protect SSO tokens by binding them to the physical device.
- Device registers with Azure AD via Azure Device Registration Service.
At this point, since the device has both SSO artifacts (a Kerberos TGT for AD and a Primary Refresh Token for Azure AD), users will have access to work resources without any prompts.
Azure AD Connect and Windows 10
AAD Connect is a fundamental piece to enabling this functionality. It does three things in particular:
- Creates an object in Active Directory (a Service Connection Point) that enables domain joined devices to know the Azure AD tenant to which it belongs.
- Sync's computers in AD to Azure AD as device objects. This enables computers to securely authenticate upon automatic registration with Azure AD.
- If you have AD FS deployed, it creates a couple of claim rules that will help domain joined devices to instantly register with Azure AD without waiting for next sync' cycle.
Microsoft
