Entra ID device join

July 30, 2015

The UW Windows Infrastructure has limited who can join devices to our enterprise Entra ID . This capability is more broadly possible with the release of Windows 10.

 

What and When:

The UWWI service is following the decision/guidance of the Entra ID governance team, put into place by the UW Enterprise Architecture program. Many thanks to the sage advice of that team.

 

Entra ID device join has been put into a limited, exploratory stage. It changed from the default setting where anyone with a user account in our enterprise Entra ID (currently anyone with a UW NetID) could join any capable device, to a very small group.

 

What You Need to Do:

No action is required. If you Entra ID joined one of the 50 devices already Entra ID joined, we’ll be contacting you to ensure you know the implications, our guidance, and that you have the option of disconnecting from Entra ID. See https://cloudpuzzles.net/2015/03/disconnecting-a-windows-10-device-from-azure-ad/ for a walkthrough of disconnecting.

 

More Info:

This notice will be sent to techsupport@uw.edu on the existing Windows 10 thread.

 

Our enterprise Entra ID is uwnetid.onmicrosoft.com, but has domains such as uw.edu, u.washington.edu, and washington.edu associated with it. So when a user enters a username of <uwnetid>@uw.edu in the Entra ID device join experience, they end up in our enterprise Entra ID.

 

The Entra ID device join capability has:

-no delegated administration

-requires InTune licensing or another MDM product to realize the same device management value as AD join

-the ability to centrally do a partial device wipe

-the ability to join mobile devices which are incapable of AD join

 

While there are some new and exciting capabilities here, we believe this represents an immature offering for our environment, so are limiting its availability at this time. We will continue to explore this capability, reviewing it for positive steps in maturity and utility for the UW.

 

NOTE: This capability is different from Workplace Join (which we don’t currently support), and also separate from the Entra ID Conditional Access capability which can use AD joined devices as part of access control decisions.

 

If you’d like to read more about the Entra ID Device Join capability, we recommend the following:

-http://blogs.technet.com/b/in_the_cloud/archive/2015/05/28/managing-azure-active-directory-joined-devices-with-microsoft-intune.aspx

-http://blogs.technet.com/b/ad/archive/2015/05/28/azure-ad-join-on-windows-10-devices.aspx

 

If you have reason to partner with us to explore this capability, please contact UWWI via help@uw.edu.

 

Brian Arkills

UW Windows Infrastructure Service Manager