Understanding Azure AD Device Management

Hi folks !!! How are you all doing ?

It's been a looooonnnggg time since my last post. Yeah !! I know !! A lot going on. But I am back.

This time, I would like to talk about a very cool feature in Azure that is called Azure AD Device Management.

In today's world, technology has drastically changed the way we work and we need to keep up with the changes. Today, you can easily be working while you are commuting to the office, while you are at home or traveling. All that you need is to have a device, internet connection and , voila, you are connected to your company.

Because of this, Microsoft came up with this pretty cool feature.

So , basically , in order for you to access your company resources you can use a device that is company issued but, maybe you want to use your own device, I mean, it could be a tablet or a macbook and you can access company resources.

No matter which device you use to connect, this brings some concerns because somehow, the device has a certain level of access to company's resources. We'd better have some sort of controls in place. That's what Azure AD Device Management is about.

You can integrate your device in three different ways. It all depends on whether the device is company issued and it is part of an on-prem infra, or maybe the device is a virtual machine that only exists in the cloud or the device is your device, not company owned and therefore does not exist in the company's infrastructure.  

Let's learn now how we can do this.

Azure AD Registered

The least restrictive one.

This is when you own the device. It currently supports Windows 10, IOS, IpadOS, Androoid and macOS. By the time you are reading this post, this might have changed but at least at the time I am writing this, in july 2023, this is what is currently supported.

Azure AD Joined

This is when the device is company owned and it access Azure AD through a work account. These identities only exist in the cloud. Currently windows 10 and server 2019 are supported.

Azure AD Registered and Azure AD Joined have in common the fact that their identities only exist in the cloud. They don't exist in any on-premises infra, such as on-prem active directory, for instance.

Hybrid Azure AD Joined

This is almost the same as Azure AD Joined with the only difference being the device identity exists also in on-prem infrastructure. Meaning, it exists in on-prem active directory as well as in azure ad in the cloud. Currently windows 7, 8.1 , 10 and server 2008 or later. 


Device registration

Let's now configure azure ad so we can do device registration.

Log on to Azure portal with proper credentials and go into device settings and make sure you configure those 4 settings properly according to your company guidelines.











Here what they do, in details

1)

\
2)



3)
These two are self-explanatory

And also, one more setting that you also should configure is to make sure you set up local administrators on devices that will be ad joined. In that way you can increase control and as a result, security around these devices.




Setting up Azure AD Registered device

Remember, this is a device employee owns. It's not domain joined nor provided by the company.

You will need two sets of credentials to do that.

1) Local credentials. Username you use to log on to the computer

2) Cloud identity, the one that has the rights to add devices that your company administrators have set up.

a) Go to start > settings


b) Then accounts >


c) Then access work or school >


d) Punch your email address (the corporate one)


e) Now provide your password


f) And you are all set.


g) If that worked you should be able to see something like this:


h) Also, if you go to azure portal, you should be able to single sign on.




Setting up Azure AD Joined

Repeat steps a, b and c and in step d, make sure you select "join this device to azure active directory"

 

Then do steps e and f and you should be able to see this:

Also, if you go to azure portal, you should be able to single sign on.


Now, to certify it worked, you should be able to see the machines in azure portal







Conclusion

So guys, to wrap this up. 

The key takeaways are:

  • Azure AD Device Management allows your company to have some sort of control on devices used by users increasing security through a simplified procedure for adding and managing devices;
  • Also, it can improve user experience on devices;
  • Finally, it provides single sign on (SSO) for any registered or joined devices. 
That's all that I wanted to share today folks. I hope this has been helpful and I see you guys soon !!

Cheers,

V Souza

Comments

Post a Comment

Popular posts from this blog

Certification or Degree ??

Image
Hi guys !! I hope you are doing great and enjoying summer (at least for Northern Hemisphere folks). I know my friends in Brazil are struggling with a super cold winter (10 C/50 F ??). Oh !!! I'd love having a winter "that" cold here in Montreal but, anyways. So, today I'd like to talk about certification or degree. In IT, which one is more important ? People have different thoughts about this topic and I think there is no wrong or right. It depends on your situation. I personally tend to agree that , perhaps, having both is the best as you could benefit from the great things both of them can give to you but, if you can't afford having both, I'd tend to agree that keeping your certifications up to date is probably better than having only a degree. Let me tell you why I believe in this. I have an associate's degree in computer networking that was achieved in 2009. My first certification, I got in 2009. I got started in the certification world wi
Read more

What if I am asked to provide last time a particular attribute was modified in Active Directory ?

Image
How to detect when and on which DC a particular AD object attribute was last modified ? Well, as part of our job, as a SysAdmin, from time to time you may get requests from people that want to know when a particular modification was made to an AD object. For instance, the mail attribute was modified on an account and it caused an issue to the user. When you are doing a RCA (Root Cause Analysis), you may be asked to identify when the attribute change was made so you can know when the problem occurred. So, this is something that you can achieve by executing a simple command : Repadmin. :) Although you can't see when all changes were made, you can check date and time of the last change that was made to a particular attribute. Here is what you need to do: Prerequisites Powershell where Active Directory module is loaded; Repadmin command line(depending on the machine you are running this from , you may need to get RSAT installed so Repamin can be available); The AD object y
Read more