Forum Discussion
Azure AD Conditional Access - Require Domain Joined Device
Does the ‘Domain Join’ checkbox in Azure AD Conditional Access require Azure AD Domain join, or does it mean on-premises Domain Join? The attached screen shot says ‘Not Azure AD Domain Join’ but the ...
- Correct, that would be on-prem AD domain-join.
Why it's confusing is because it's possible to have on-prem AD domain-joined PCs automatically register and enroll with Azure AD.
Hey Dan,
interesting. So simple Azure AD registration is enough to enforce a conditional access policy?
But there is no similar simple way for Windows 7, right?
Thanks.
-John
interesting. So simple Azure AD registration is enough to enforce a conditional access policy?
But there is no similar simple way for Windows 7, right?
Thanks.
-John
Not really, though from memory you can enroll Windows 7 devices into Intune, which would implicitly register them. Though if you're going to go through that, you may as well set up Hybrid AAD Join.
- One additional question:
What about shared workstations for shift workers? Will the same device be registered in Azure AD for every user individually after sign-on?If you're registering devices, then yes though in my experience if you're Hybrid AAD Joining then a user object won't get associated with a device object which I found strange.
- You are right.
Also, as far as I know, the Intune enrollment on Windows 7 requires some user interaction and cannot be done during sign-on. Well, automatic MDM enrollment can be set up in Azure, but the workplace join has to be initiated by the user at some point. I am not familiar with a way where the user doesn't have to enter his email address and password to join Azure. Also within Autopilot the user has to enter the credentials at this point.
