One of the perks of Windows 10 in combination with Office 365 and Azure AD is the new ‘join Azure AD’ function.
This enables a few things. One of them is the automatic enrollment in MDM or Intune, which I’ll cover in an upcoming blog post. Another cool thing I’ll demonstrate here: it enables single sign-on to Azure-bases services such as the various Office 365 services.
We’ll start with a sparkling new Windows 10 system. It’s the Pro-version on x64, but you’ll experience will be the same on other versions.
After the basic installation, the system will be set up. One of the first things it’ll ask, is who actually owns this device. In this case, ofcourse, we’ll specify that it’s a company-owned device.
The next question is if we’ll connect to Azure AD, or to an legacy on-prem domain. Ofcourse, we’ll connect to Azure AD for this demonstration.
The wizard will ask for credentials. I’ll specify my work account, the same credentials that I use to sign up to Office 365. Because my company uses a customized sign-in logo, after specifying the username I’ll be redirected to this custom page to enter my password.
After signing in, the system will be enrolled and the company policy is applied.
End user experience
After a few moments, the lockscreen appears and I can log on using my Azure AD / O365 account. Because it’s the first time I log on using that account on this machine, my profile will be set up. Luckily, this won’t take long 😉
Being enrolled, certain policies will be enforced on the PC to comply with the company requirements. For example, I need to set up a PIN to unlock the PC, because that’s part of the policy.
So I will. For setting up a PIN I must use two-factor authentication, because company policy requires that. A push message is sent to my smartphone so I can authenticate. After the second factor of the authentication is completed, I can actually set up the PIN
And after that I’m signed in! First thing I do is to check the Outlook mail app. Being signed in with my Office 365 account, I’d expect the app to be preconfigured with my Office 365 mail account.
It is! Next up, I’ll fire up a web browser to navigate to https://outlook.office365.com. Because I’m logged on with my Office 365 account, I don’t need to log on in the browser and I’m being logged on to my mailbox automatically.
Non-company owned device
If you don’t use a company owned device but log on to Windows using your private Live ID, you can still Azure AD join the machine. To do this, go to the settings app and open the ‘accounts’ settings. On the ‘work access’ tab, you can click the ‘Join or leave Azure AD’ link to connect using your Azure AD account.
You will be taken through the wizard to join the Azure AD, with the same experience as the ‘out of box’ setup demonstrated above.
When joining devices to Azure AD, you can also automatically enroll the device to Intune. That itself brings a lot of possibilities on managing the device and enforcing policies and pushing software and apps. I’ll cover that in one of my next blog posts!