Forum Discussion
Azure AD Conditional Access - Require Domain Joined Device
- Jul 18, 2017Correct, that would be on-prem AD domain-join.
Why it's confusing is because it's possible to have on-prem AD domain-joined PCs automatically register and enroll with Azure AD.
Hi Joe,
I had a similar question, and received similar answers.
What you're probably looking for however is this:
That condition specifically means local domain-joined, however if the device (I'll assume Windows 10) isn't at a minimum Azure AD Registered, then Azure Conditional Access can't interpret the device as being locally domain-joined.
So in order to use that function, you need to make sure that your devices are registered in Azure AD - despite the fact that the documentation says the requirement is Hybrid Azure AD Joined, I've found that simply registering is enough. Though to be fair, you really should implement Hybrid Azure AD Join, because asking your users to go forth and register their devices in Azure AD themselves will likely lead to a whole heap of calls to the Service Desk :)
Hope it helps,
Dan
- John MatrixMay 01, 2018Brass ContributorHey Dan,
interesting. So simple Azure AD registration is enough to enforce a conditional access policy?
But there is no similar simple way for Windows 7, right?
Thanks.
-John- Daniel KharmanMay 01, 2018Brass Contributor
Not really, though from memory you can enroll Windows 7 devices into Intune, which would implicitly register them. Though if you're going to go through that, you may as well set up Hybrid AAD Join.
- John MatrixMay 01, 2018Brass ContributorOne additional question:
What about shared workstations for shift workers? Will the same device be registered in Azure AD for every user individually after sign-on?