Windows 10+Azure AD: register or join? Turn on Auto Enrollment to Intune?

In Windows 10, under Settings- Accounts and Access work or school, you have a couple of actions to pick from: setting up a work or school account, join the Windows 10 device to Azure Active Directory or join it to a local Active Directory. Personally I know  the local AD and I do understand Azure AD but what is setting up a work or school account? And how is that different than Azure AD? When will I use one or the other?

Let’s start with setting up a school or work account. With this option you register your Windows 10 device in Azure AD. So, this isn’t an Azure AD join. The use case behind this is Bring Your Own Device. Personal owned Windows devices being used for work as well. By registering your personal W10 device in AAD (Azure AD), you will enjoy the benefits of Single Sign On to your company’s cloud apps, seamless multi-factor authentication and access to on-premises apps via the Web Application Proxy and ADFS Device Registration.

Device registration is possible for Windows, IOS and Android devices. In fact, registration is the only option for IOS and Android devices since they cannot be joined to AAD.

In Azure (the Azure Portal- Active Directory- Applications- Intune), you can turn on “Auto Enrollment” to Intune. What this means is that when Windows 10 devices are registered by users, those devices are automatically being enrolled in Intune. You can set this up for all users, none of them or by group. After enrollment, IT can manage your device by applying device and application policies. My question is: do you want BYOD/personal devices being enrolled automatically into Intune after registration? Thinking out loud, I would say no. Not automatically. Maybe registering a device, so that the user can benefit from SSO is more than enough for that user. And also thinking but the upcoming W10 Creators Update with fancy Mobile Access Management features, maybe that is enough and there is no need to manage the device. I can imagine that a user doesn’t want IT to manage his/her own personal device. This could change if that user would like to access more company resources, like email. In that case, conditional access could require the user to enroll his device in order to get access to mail. It’s up to the user to do that or not. Do realize, with IOS and Android devices, there is no choice of registering and/or (automatically) enrolling the device. It always is both. You enroll those devices and then they are registered in AAD.

 

So, now Azure AD join. Here, the use case is corporate owned devices. And again, only Windows devices can be joined. Besides the SSO, Multi-Factor Authentication benefits like with registering devices, a join adds a couple of other features: Phone/PIN sign in and AAD cloud Bitlocker key storage, to name a couple. Would you auto enroll those devices into Intune automatically? In this case I would say yes. The devices are corporate, users have access to many resources so you would like to manage and protect these devices and users. Automatically enrolling the devices and deploying policies is a great way in doing that.

I won’t discuss the local AD join because it’s been around for ages and it’s known to the public. I always like to say it is the “old school” way of Windows device management: AD with SCCM and GPO’s. The new way in my opinion is AAD join/registration with Enterprise Mobility Management- Intune. However, know it is possible to register a local AD joined Windows device to AAD.

Some background resources can be found here:

  • Differences between AAD join/registration here,
  • Automatic enrollment,
  • Managing AAD joined devices with Intune,
  • Windows 10 AAD join

Credits to Pieter Wigleven and Bjorn Axell, both Microsoft colleagues for helping me out!