IT Connect

Information technology tools and resources at the UW

20150730: AAD device join

The UW Windows Infrastructure has limited who can join devices to our enterprise Azure AD. This capability is more broadly possible with the release of Windows 10.

 

What and When:

The UWWI service is following the decision/guidance of the Azure AD governance team, put into place by the UW Enterprise Architecture program. Many thanks to the sage advice of that team.

 

Azure AD device join has been put into a limited, exploratory stage. It changed from the default setting where anyone with a user account in our enterprise Azure AD (currently anyone with a UW NetID) could join any capable device, to a very small group.

 

What You Need to Do:

No action is required. If you AAD joined one of the 50 devices already AAD joined, we’ll be contacting you to ensure you know the implications, our guidance, and that you have the option of disconnecting from AAD. See https://cloudpuzzles.net/2015/03/disconnecting-a-windows-10-device-from-azure-ad/ for a walkthrough of disconnecting.

 

More Info:

This notice will be sent to techsupport@uw.edu on the existing Windows 10 thread.

 

Our enterprise Azure AD is uwnetid.onmicrosoft.com, but has domains such as uw.edu, u.washington.edu, and washington.edu associated with it. So when a user enters a username of <uwnetid>@uw.edu in the Azure AD device join experience, they end up in our enterprise Azure AD.

 

The AAD device join capability has:

-no delegated administration

-requires InTune licensing or another MDM product to realize the same device management value as AD join

-the ability to centrally do a partial device wipe

-the ability to join mobile devices which are incapable of AD join

 

While there are some new and exciting capabilities here, we believe this represents an immature offering for our environment, so are limiting its availability at this time. We will continue to explore this capability, reviewing it for positive steps in maturity and utility for the UW.

 

NOTE: This capability is different from Workplace Join (which we don’t currently support), and also separate from the Azure AD Conditional Access capability which can use AD joined devices as part of access control decisions.

 

If you’d like to read more about the Azure AD Device Join capability, we recommend the following:

-http://blogs.technet.com/b/in_the_cloud/archive/2015/05/28/managing-azure-active-directory-joined-devices-with-microsoft-intune.aspx

-http://blogs.technet.com/b/ad/archive/2015/05/28/azure-ad-join-on-windows-10-devices.aspx

 

If you have reason to partner with us to explore this capability, please contact UWWI via help@uw.edu.

 

Brian Arkills

UW Windows Infrastructure Service Manager