This document is intended for users who are considering whether to join their device to Entra ID.
Current State
On 7/30/2015, the UW generally turned off the ability to do an Entra ID join, allowing only limited explorations of the capabilities.
Read on for more information. If you’d like to partner with us to explore this capability, please contact Microsoft Infrastructure via help@uw.edu.
Orientation and Background
Entra ID provides a variety of capabilities that include authentication & credential management, collaboration & application management, device management, information security, and enable cloud-based solutions. If you are familiar with Active Directory, Entra ID is the cloud-based, infrastructure-as-a-service (IaaS) version, providing many of the same kinds of capabilities, but with all the benefits of a cloud-based solution.
Microsoft has provided the ability for Windows 10 devices to join Entra ID and has indicated that in the future other types of devices will be able to Entra ID join.
Like an Active Directory domain join, when you join a device to Entra ID, you get an integrated user authentication and can more easily collaborate with other users. There are also some limited device management benefits, as you get from an Active Directory domain join. Unlike an Active Directory domain join, Microsoft has designed this experience to support “bring your own device” scenarios, i.e. you might join your personally owned device to Entra ID. UW documents present on your device can be stamped such that if the UW wants, it can “unjoin” your device and block the ability to get to those documents on your device. This is designed to provide some peace-of-mind around two scenarios: a device goes missing or a user’s access to all UW materials should be removed.
The UW’s primary Entra ID tenant is uwnetid.onmicrosoft.com, but has domains such as uw.edu, u.washington.edu, and washington.edu associated with it. So when a user enters a username of <uwnetid>@uw.edu in the Entra ID device join experience, if allowed, that device will end up in the UW’s primary Entra ID.
Discussion
The UW is really excited about a couple key differentiating aspects of the Entra ID join capability. The ability to do a “selective wipe” of a personally owned device is very powerful. Also the ability to securely join and use a device from anywhere on the internet without a VPN is a significant advance, especially for those who are mobile. Finally, the future ability to join devices which currently have no ability to join an Active Directory domain is tantalizing.
These exciting new capabilities are tempered by a couple of significant downsides. In specific, the existing device management capabilities provided via the Entra ID join capability are very immature. They leverage integration with solutions provided by the Mobile Device Management (MDM) sector, with Microsoft’s Intune MDM product as a first-class provider of this device management (other MDM providers can also work). The problems with this is are:
- Intune provides no delegated administration, but the UW requires delegated administration for device management
- InTune licensing is needed or another MDM product to realize the same device management value as AD join
Guidance Summary and Current Status
While there are some new and exciting capabilities here, we believe Entra ID device join represents an immature offering for our environment, so are limiting its availability at this time.
On 7/30/2015, the UW has generally turned off the ability to do an Entra ID join, allowing only limited explorations of the capabilities. If you’d like to partner with us to explore this capability, please contact Microsoft Infrastructure via help@uw.edu.
Users which have chosen to do an Entra ID device join are advised that UW Administrative Policy Statement (APS) 55.1 “Mobile Device Use and Allowance Policy” does apply. You may be legally required to provide the UW unrestricted access to the device, and the UW reserves the right to remotely wipe the device. If you wish to disconnect your device from Entra ID, see https://cloudpuzzles.net/2015/03/disconnecting-a-windows-10-device-from-azure-ad/ for a walkthrough of disconnecting.
The UW has no plans at this time to perform device wipes (partialĀ or otherwise).
The UW has no plans at this time to deploy Intune, nor does it have licenses to cover the entire UW population.
These plans may change in the future.