Azure AD Device Join

Last updated: January 30, 2023
Audience: All UW

Windows 10 and some mobile devices (iOS or Android) can join Azure AD. When a user enters a username of <uwnetid>@uw.edu in the Azure AD device join experience or via Azure AD registration, if allowed, that device will end up in the UW’s primary Azure AD tenant.

Current state and Guidance

As of August 2020, the UW has enabled Azure AD (AAD) device join for all users eligible for the Microsoft 365 A3 licenses. Hybrid join has been enabled since 6/25/2020.

The UW has allowed any device to be Azure AD registered since that capability was available.

Azure AD device registration
Azure AD device join
Azure AD hybrid join

Azure AD device registration is generally encouraged. Many applications like OneDrive for Business Sync require it, and many users don’t even realize they are dependent on this functionality.

Azure AD device join is generally discouraged. It is possible, but leaves the device in a state which makes it less than ideal. There are no general management capabilities provided via Intune at the UW at this time, and your local IT support can’t easily manage a device in this state.

Azure AD hybrid join is generally encouraged. There are two recommended paths to this state: per-device provisioning via Autopilot registration or by being an eligible computer in the NETID Active Directory.

Users who have chosen to do an Azure AD device join are advised that UW Administrative Policy Statement (APS) 55.1 “Mobile Device Use and Allowance Policy” does apply. You may be legally required to provide the UW unrestricted access to the device, and the UW reserves the right to remotely wipe the device or block your ability to read UW data present on the device. If you wish to disconnect your device from Azure AD, see https://myworkaccount.microsoft.com/device-list.

The UW has no plans at this time to perform device wipes (partial or otherwise).

Azure AD Device Details

There are 3 different associated states a device might be in with respect to Azure AD:

You can review and manage your Azure AD devices via https://myworkaccount.microsoft.com/device-list or https://account.activedirectory.windowsazure.com/r/#/profile, under “Devices & activity”.

Disabling an Azure AD Device

You should only disable an Azure AD device if you have lost the device or the device is no longer in use. If you disable an Azure AD device, you will be unable to perform any Azure AD authentications from that device. You will not be able to re-enable it without UW-IT assistance. There is a high impact to the end user of a mistakenly disabling an Azure AD device.

Office products (including Microsoft 365 Apps for Enterprise, Office 2016/2019, and Office ProPlus) on Windows require the device to be registered with the Azure AD of the user account in order to allow sign in with that user account. No device registration with the Azure AD = no sign in to Office for that Azure AD user from that device. Disabled device registration also mean no sign in. When you disable your device, you then can’t sign in from that device until you can get one of a small handful of people at the UW to re-enable that device for you.

Further reading

Intune at the UW

Microsoft 365 A3 & eligibility

Microsoft cloud-based device management glossary

Hybrid join via a Delegated OU