Forum Discussion
Azure AD Conditional Access - Require Domain Joined Device
- Correct, that would be on-prem AD domain-join.
Why it's confusing is because it's possible to have on-prem AD domain-joined PCs automatically register and enroll with Azure AD.
Hi Joe,
I had a similar question, and received similar answers.
What you're probably looking for however is this:
That condition specifically means local domain-joined, however if the device (I'll assume Windows 10) isn't at a minimum Azure AD Registered, then Azure Conditional Access can't interpret the device as being locally domain-joined.
So in order to use that function, you need to make sure that your devices are registered in Azure AD - despite the fact that the documentation says the requirement is Hybrid Azure AD Joined, I've found that simply registering is enough. Though to be fair, you really should implement Hybrid Azure AD Join, because asking your users to go forth and register their devices in Azure AD themselves will likely lead to a whole heap of calls to the Service Desk :)
Hope it helps,
Dan
interesting. So simple Azure AD registration is enough to enforce a conditional access policy?
But there is no similar simple way for Windows 7, right?
Thanks.
-John
Not really, though from memory you can enroll Windows 7 devices into Intune, which would implicitly register them. Though if you're going to go through that, you may as well set up Hybrid AAD Join.
- One additional question:
What about shared workstations for shift workers? Will the same device be registered in Azure AD for every user individually after sign-on?If you're registering devices, then yes though in my experience if you're Hybrid AAD Joining then a user object won't get associated with a device object which I found strange.
- You are right.
Also, as far as I know, the Intune enrollment on Windows 7 requires some user interaction and cannot be done during sign-on. Well, automatic MDM enrollment can be set up in Azure, but the workplace join has to be initiated by the user at some point. I am not familiar with a way where the user doesn't have to enter his email address and password to join Azure. Also within Autopilot the user has to enter the credentials at this point.
