SOLVED

Azure AD Conditional Access - Require Domain Joined Device

Bronze Contributor

Does the ‘Domain Join’ checkbox in Azure AD Conditional Access require Azure AD Domain join, or does it mean on-premises Domain Join? The attached screen shot says ‘Not Azure AD Domain Join’ but the documentation shown in the screen shot seems to contradict this.

contradiction.jpg

24 Replies
best response confirmed by Joe Stocker (Bronze Contributor)
Solution
Correct, that would be on-prem AD domain-join.
Why it's confusing is because it's possible to have on-prem AD domain-joined PCs automatically register and enroll with Azure AD.
So if a machine is not joined to on-prem AD and it is only joined to Azure AD, you're saying conditional access won't work? Why doesn't the documentation list the requirement of being on-prem AD joined?

An Azure AD joined machines will work with conditional access. You will just need to use the value of "Require device to be marked as compliant" This requires the device to be managed through Intune however and does not allow you to use only Azure AD joined machines that are not managed.

@Loryan Strant I just finished creating a lab to test this all out and while I was able to get Windows 7 to work with the conditional access setting "require domain joined device", I could not get it to work with Windows 10 which ironically should have been easier. Can you review my blog and let me know what I am missing? http://www.thecloudtechnologist.com/azure-ad-premium-conditional-access-for-domain-joined-machines/ 

Hi,

 

Can you please elaborate further.

 

We have following requirement.

Only the devices issued by IT departmernt should be able to access SharePoint Online. How can I acheive this using conditional or compliance policies?

 

We don't have on prem AD.

 

Thanks,

The conditional access policy that checks for domain join membership of a machine is referring to on-premises AD, so if you do not have on-prem AD then you'll need to use other conditional access choices to achieve your goals.

One idea would be to enroll your IT computers in Intune and then use a compliance policy that checks for device 'health' (which relies on intune enrollment).

Another idea would be to put your IT computers behind a NAT that can be used for conditional access checking based on the external IP address of that NAT.

Hi Joe,

 

Thank you for the response.

 

Option of NAT wouldn't work as there are mobile workers.

 

Can you guide me more on enorllment, point to some documentation may be. Below is what should work if we can do with enrollment/compliance policy.

 

1. Restrict that only IT can enroll the devices.

2. Use a compliance policy that allows access only on enrolled devices.

 

Thanks,

For the first criteria, you would configure Azure AD's Device Settings to select only the IT users for the setting "Users may join devices to Azure AD"

For your second criteria, I recommend you configure conditional access based on Intune enrollment since as previously discussed, you do not meet requirements to perform domain join checking since these are not hybrid domain joined machines against on-prem AD. Per your request for documentation, I would advise that you review the following two articles:

https://docs.microsoft.com/en-us/windows/client-management/mdm/azure-active-directory-integration-wi...

and then in the next article, refer to the section "require device to be marked as compliant"

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-controls

 

delegated Azure AD Join.jpg

I think they have finally updated the Grant control in the conditional access policy to make it clearer. The desired conditional access policy will only work if the device is Hybrid Azure AD joined. Meaning that the domain joined device is also Azure AD joined (not registered but joined). 

 

I think this article would help in configuring Hybrid Azure AD joined devices.

How to configure Hybrid Azure AD Joined devices

 

Capture.PNG 

I agree, it is more clear now.

Has anyone tried the Hybrid domain join implementation? Any negative experiences? Advantages?

I've deployed it a few different companies, and it has gone pretty well.

Ever since we enabled hybrid for our company issued computers, its been working really well for us. This is very much useful specially when you exempt Hybrid Azure AD joined devices from your Conditional Access Policy in Intune MDM/Azure AD.

Hi Joe,

 

I had a similar question, and received similar answers.

 

What you're probably looking for however is this:

That condition specifically means local domain-joined, however if the device (I'll assume Windows 10) isn't at a minimum Azure AD Registered, then Azure Conditional Access can't interpret the  device as being locally domain-joined. 

 

So in order to use that function, you need to make sure that your devices are registered in Azure AD - despite the fact that the documentation says the requirement is Hybrid Azure AD Joined, I've found that simply registering is enough. Though to be fair, you really should implement Hybrid Azure AD Join, because asking your users to go forth and register their devices in Azure AD themselves will likely lead to a whole heap of calls to the Service Desk 🙂

 

Hope it helps,

Dan

Hey Dan,

interesting. So simple Azure AD registration is enough to enforce a conditional access policy?
But there is no similar simple way for Windows 7, right?

Thanks.
-John

Not really, though from memory you can enroll Windows 7 devices into Intune, which would implicitly register them. Though if you're going to go through that, you may as well set up Hybrid AAD Join.

You are right.
Also, as far as I know, the Intune enrollment on Windows 7 requires some user interaction and cannot be done during sign-on. Well, automatic MDM enrollment can be set up in Azure, but the workplace join has to be initiated by the user at some point. I am not familiar with a way where the user doesn't have to enter his email address and password to join Azure. Also within Autopilot the user has to enter the credentials at this point.
One additional question:
What about shared workstations for shift workers? Will the same device be registered in Azure AD for every user individually after sign-on?

If you're registering devices, then yes though in my experience if you're Hybrid AAD Joining then a user object won't get associated with a device object which I found strange.

1 best response

Accepted Solutions
best response confirmed by Joe Stocker (Bronze Contributor)
Solution
Correct, that would be on-prem AD domain-join.
Why it's confusing is because it's possible to have on-prem AD domain-joined PCs automatically register and enroll with Azure AD.

View solution in original post