IT Connect

Information technology tools and resources at the UW

Azure AD Device Join Guidance

This document is intended for users who are considering whether to join their device to Azure AD.

Current State

On 7/30/2015, the UW generally turned off the ability to do an Azure AD join, allowing only limited explorations of the capabilities.

Read on for more information. If you’d like to partner with us to explore this capability, please contact Microsoft Infrastructure via help@uw.edu.

Orientation and Background

Azure AD provides a variety of capabilities that include authentication & credential management, collaboration & application management, device management, information security, and enable cloud-based solutions. If you are familiar with Active Directory, Azure AD is the cloud-based, infrastructure-as-a-service (IaaS) version, providing many of the same kinds of capabilities, but with all the benefits of a cloud-based solution.

Microsoft has provided the ability for Windows 10 devices to join Azure AD and has indicated that in the future other types of devices will be able to Azure AD join.

Like an Active Directory domain join, when you join a device to Azure AD, you get an integrated user authentication and can more easily collaborate with other users. There are also some limited device management benefits, as you get from an Active Directory domain join. Unlike an Active Directory domain join, Microsoft has designed this experience to support “bring your own device” scenarios, i.e. you might join your personally owned device to Azure AD. UW documents present on your device can be stamped such that if the UW wants, it can “unjoin” your device and block the ability to get to those documents on your device. This is designed to provide some peace-of-mind around two scenarios: a device goes missing or a user’s access to all UW materials should be removed.

The UW’s primary Azure AD tenant is uwnetid.onmicrosoft.com, but has domains such as uw.edu, u.washington.edu, and washington.edu associated with it. So when a user enters a username of <uwnetid>@uw.edu in the Azure AD device join experience, if allowed, that device will end up in the UW’s primary Azure AD.

Discussion

The UW is really excited about a couple key differentiating aspects of the Azure AD join capability. The ability to do a “selective wipe” of a personally owned device is very powerful. Also the ability to securely join and use a device from anywhere on the internet without a VPN is a significant advance, especially for those who are mobile. Finally, the future ability to join devices which currently have no ability to join an Active Directory domain is tantalizing.

These exciting new capabilities are tempered by a couple of significant downsides. In specific, the existing device management capabilities provided via the Azure AD join capability are very immature. They leverage integration with solutions provided by the Mobile Device Management (MDM) sector, with Microsoft’s Intune MDM product as a first-class provider of this device management (other MDM providers can also work). The problems with this is are:

  • Intune provides no delegated administration, but the UW requires delegated administration for device management
  • InTune licensing is needed or another MDM product to realize the same device management value as AD join

Guidance Summary and Current Status

While there are some new and exciting capabilities here, we believe Azure AD device join represents an immature offering for our environment, so are limiting its availability at this time.

On 7/30/2015, the UW has generally turned off the ability to do an Azure AD join, allowing only limited explorations of the capabilities. If you’d like to partner with us to explore this capability, please contact Microsoft Infrastructure via help@uw.edu.

Users which have chosen to do an Azure AD device join are advised that UW Administrative Policy Statement (APS) 55.1 “Mobile Device Use and Allowance Policy” does apply. You may be legally required to provide the UW unrestricted access to the device, and the UW reserves the right to remotely wipe the device. If you wish to disconnect your device from Azure AD, see https://cloudpuzzles.net/2015/03/disconnecting-a-windows-10-device-from-azure-ad/ for a walkthrough of disconnecting.

The UW has no plans at this time to perform device wipes (partial or otherwise).

The UW has no plans at this time to deploy Intune, nor does it have licenses to cover the entire UW population.

These plans may change in the future.

Further Reading