Forum Discussion

Joe Stocker's avatar
Joe Stocker
Bronze Contributor
Jul 18, 2017

Azure AD Conditional Access - Require Domain Joined Device

Does the ‘Domain Join’ checkbox in Azure AD Conditional Access require Azure AD Domain join, or does it mean on-premises Domain Join? The attached screen shot says ‘Not Azure AD Domain Join’ but the ...
Access Management
Azure Active Directory (AAD)
Identity Management
  • Loryan Strant's avatar
    Loryan Strant
    Jul 18, 2017
    Correct, that would be on-prem AD domain-join.
    Why it's confusing is because it's possible to have on-prem AD domain-joined PCs automatically register and enroll with Azure AD.
Vineet Arora's avatar
Vineet Arora
Brass Contributor

Hi,

 

Can you please elaborate further.

 

We have following requirement.

Only the devices issued by IT departmernt should be able to access SharePoint Online. How can I acheive this using conditional or compliance policies?

 

We don't have on prem AD.

 

Thanks,

Joe Stocker's avatar
Joe Stocker
Bronze Contributor
Oct 06, 2017

The conditional access policy that checks for domain join membership of a machine is referring to on-premises AD, so if you do not have on-prem AD then you'll need to use other conditional access choices to achieve your goals.

One idea would be to enroll your IT computers in Intune and then use a compliance policy that checks for device 'health' (which relies on intune enrollment).

Another idea would be to put your IT computers behind a NAT that can be used for conditional access checking based on the external IP address of that NAT.

  • Vineet Arora's avatar
    Vineet Arora
    Brass Contributor
    Oct 07, 2017

    Hi Joe,

     

    Thank you for the response.

     

    Option of NAT wouldn't work as there are mobile workers.

     

    Can you guide me more on enorllment, point to some documentation may be. Below is what should work if we can do with enrollment/compliance policy.

     

    1. Restrict that only IT can enroll the devices.

    2. Use a compliance policy that allows access only on enrolled devices.

     

    Thanks,

    • Joe Stocker's avatar
      Joe Stocker
      Bronze Contributor
      Oct 09, 2017

      For the first criteria, you would configure Azure AD's Device Settings to select only the IT users for the setting "Users may join devices to Azure AD"

      For your second criteria, I recommend you configure conditional access based on Intune enrollment since as previously discussed, you do not meet requirements to perform domain join checking since these are not hybrid domain joined machines against on-prem AD. Per your request for documentation, I would advise that you review the following two articles:

      https://docs.microsoft.com/en-us/windows/client-management/mdm/azure-active-directory-integration-with-mdm

      and then in the next article, refer to the section "require device to be marked as compliant"

      https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-controls

       

      • Deleted's avatar
        Deleted
        Sep 25, 2018

        I don't understand how can I manage devices if some user in my organization have one company device as Hybrid Azure AD joined and another byod device as Azure AD registered.

        Wich way I can use a condicional access rule to control access in both devices ?

Resources