Enable single sign on when joining Azure AD

One of the perks of Windows 10 in combination with Office 365 and Azure AD is the new ‘join Azure AD’ function.

This enables a few things. One of them is the automatic enrollment in MDM or Intune, which I’ll cover in an upcoming blog post. Another cool thing I’ll demonstrate here: it enables single sign-on to Azure-bases services such as the various Office 365 services.

Getting started

We’ll start with a sparkling new Windows 10 system. It’s the Pro-version on x64, but you’ll experience will be the same on other versions.

After the basic installation, the system will be set up. One of the first things it’ll ask, is who actually owns this device. In this case, ofcourse, we’ll specify that it’s a company-owned device.

Company owned device

The next question is if we’ll connect to Azure AD, or to an legacy on-prem domain. Ofcourse, we’ll connect to Azure AD for this demonstration.

Azure AD

The wizard will ask for credentials. I’ll specify my work account, the same credentials that I use to sign up to Office 365. Because my company uses a customized sign-in logo, after specifying the username I’ll be redirected to this custom page to enter my password.

Custom sign-in page

After signing in, the system will be enrolled and the company policy is applied.

Applying policies

End user experience

After a few moments, the lockscreen appears and I can log on using my Azure AD / O365 account. Because it’s the first time I log on using that account on this machine, my profile will be set up. Luckily, this won’t take long 😉

Being enrolled, certain policies will be enforced on the PC to comply with the company requirements. For example, I need to set up a PIN to unlock the PC, because that’s part of the policy.

Create a work PIN

So I will. For setting up a PIN I must use two-factor authentication, because company policy requires that. A push message is sent to my smartphone so I can authenticate. After the second factor of the authentication is completed, I can actually set up the PIN

And after that I’m signed in! First thing I do is to check the Outlook mail app. Being signed in with my Office 365 account, I’d expect the app to be preconfigured with my Office 365 mail account.

Mail app

It is! Next up, I’ll fire up a web browser to navigate to Because I’m logged on with my Office 365 account, I don’t need to log on in the browser and I’m being logged on to my mailbox automatically.

Single sign-on
This doesn’t only work for Outlook Web App, but for all Office 365 and Azure apps, including for example Sharepoint Online and Delve.

Non-company owned device

If you don’t use a company owned device but log on to Windows using your private Live ID, you can still Azure AD join the machine. To do this, go to the settings app and open the ‘accounts’ settings. On the ‘work access’ tab, you can click the ‘Join or leave Azure AD’ link to connect using your Azure AD account.

Enroll from settings

You will be taken through the wizard to join the Azure AD, with the same experience as the ‘out of box’ setup demonstrated above.

When joining devices to Azure AD, you can also automatically enroll the device to Intune. That itself brings a lot of possibilities on managing the device and enforcing policies and pushing software and apps. I’ll cover that in one of my next blog posts!