Forum Discussion
Azure AD Conditional Access - Require Domain Joined Device
- Correct, that would be on-prem AD domain-join.
Why it's confusing is because it's possible to have on-prem AD domain-joined PCs automatically register and enroll with Azure AD.
Hi Joe,
Thank you for the response.
Option of NAT wouldn't work as there are mobile workers.
Can you guide me more on enorllment, point to some documentation may be. Below is what should work if we can do with enrollment/compliance policy.
1. Restrict that only IT can enroll the devices.
2. Use a compliance policy that allows access only on enrolled devices.
Thanks,
For the first criteria, you would configure Azure AD's Device Settings to select only the IT users for the setting "Users may join devices to Azure AD"
For your second criteria, I recommend you configure conditional access based on Intune enrollment since as previously discussed, you do not meet requirements to perform domain join checking since these are not hybrid domain joined machines against on-prem AD. Per your request for documentation, I would advise that you review the following two articles:
and then in the next article, refer to the section "require device to be marked as compliant"
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-controls
- at the bottom of my long blog post, you'll find a troubleshooting section along with links to other helpful resources.
Hi Joe,
All my devices are in my on-premise domain but lot's of them appear for me as "Azure AD registered"
And in this way I cant use a conditional access because the devices are not Compliant, what i'm doing wrong with the devices in my domain that they appear some of them as Azure AD registered and another devices appear as Hybrid Azure ad Join ?
Conditional Access to require a domain joined device requires that the computer is joined to the on-premises Active Directory domain.
In other words, just registering a machine to Azure AD is not enough, the minimum requirement is that the computer must be joined to the on-premises domain.
I tested out each possible scenario in my lab and I posted the results on my blog site here:
http://www.thecloudtechnologist.com/azure-ad-premium-conditional-access-for-domain-joined-machines/
I don't understand how can I manage devices if some user in my organization have one company device as Hybrid Azure AD joined and another byod device as Azure AD registered.
Wich way I can use a condicional access rule to control access in both devices ?
