As you might know Windows 10 will allow us to use Azure Active Directory (AAD) to manage the device, Microsoft talked about this in the fall (http://blogs.windows.com/business/2014/11/07/windows-10-manageability-choices/) and with the latest public build (9926) the functionality is actually built-in!
I should note that this is preview bits, both Windows 10 and the Azure AD part! There will surely be changed in the UI’s as the development moves on, and errors will be fixed. Any feedback you have should go to Microsoft via the feedback app.
Let’s dive in!
First you have to make sure that Device Registration is enabled on you Azure AD. Go to the Azure portal and browse to your AAD, and select Configure and click Yes where it says Enable workplace join:
Now go to settings on your Windows 10 device. I use Windows 10 on my primary device, but I would really recommend testing this feature on a test device or VM as it’s far from perfect yet. Choose System -> About:
Select Connect to cloud as shown in the picture above. Cloud Experience Host will show up and let you know that you’re about to enroll you device in your organization – click continue:
On the next page enter your AAD credentials and hit Sign in:
If this is your first login or your password has expired you will be asked to update it (after you’ve hit enter, it will clear the fields but not let you know that anything is going on, just give it a minute to do it’s magic):
That’s actually it, the window will close without telling you it’s finished – it’s preview, keep that in mind. Now the device is enrolled in you Azure AD and you can see it under Devices in the users account i AAD (also notice that it says AAD Joined and not Workplace joined like when you use that feature):
If you restart the device or sign out from the current account, you can now sign in with your AAD credentials. Just hit the back arrow and select Other user:
After signing in the Cloud Host Experience window will appear and look like it’s doing something, probably just a bug in the current build:
This has failed every time I’ve done the first login with a user, even when using multiple users, after joining an Azure AD:
The Try again won’t do anything, instead restart the computer and sign in again, then it’ll succeed and ask you to enter a pin. This pin is used for logging in to the device. You can also uncheck Use a simple pin to get more complexity. If you click Cancel it’ll prompt you at next login, so for now it appears that you have to make a pin:
A few things worth mentioning:
- The user that cloud joins the device to Azure AD will be added to the local Administrators group.
- Other users from you Azure AD can also use the device – they will not get admin rights though
- At the moment you cannot “unjoin” a device, from the device at least. The About page will not show any option to do this, but you can block or delete a device from the Azure portal
- When joining the device, if you get an error like “Something went wrong” make sure you have enabled Device Registration. If it still doesn’t work, then try disabling it and enable it again. Worked for me.
That’s it for now. I’ll dive into the experience when using federation (ADFS), Multi-Factor Authentication (MFA) and other exciting stuff soon. This is a really awesome feature if you ask me, and the future looks even cooler.
I’m getting the “something went wrong” error. Even after disabling and enabling the device registration feature.
One thing I’ve run into is that it does not seem to cache Azure AD credentials if you try to login without an active Internet connection. Hopefully this will be remedied as NT based OS’s have been caching domain credentials for a long time. While it may be rare that a user doesn’t have an active connection, the scenario does exist.
Thanks for the great write up.
How do you remove a device that was azure ad joined bit you no longer have that device? I’ve got to be overlooking something.
If you go to your Azure AD tenant and browse to the user, you can select ‘devices’ in the top and then ‘registered devices’ in the dropdown menu. Then select the device, and in the bottom you can block/delete it.
See this: https://cloudpuzzles.net/wp-content/uploads/2015/09/win10aaddelete.png
Has anyone found a way to disable the pin prompt from coming up every time you login?
So when you do this on a new Windows 10 install the first user to do this is put into the local Admins group. The next user to login from the AzureAD domain is not put into any groups, and appears to be just a standard user. Do you have any guidance on how to add another AzureAD user into the local admin’s group?
I know that there was some work on this, let me check and get back to you later this week.
I am having an issue with this: each user I attempt to AAD domain join is prompted to create a pin… these are fresh installs of windows 10 using the upgrade to windows 10, ensure activated, reinstall from a usb image method. My user (a azure/office365 admin user) worked fine but every other user fails at the pin creation. the correlation id error comes up so far one users machine pulled in a random update rebooted and then was able to create a pin, all other users have yet to have that happen. the only problem with this seems to be that the auto-login to office365 fails by refreshing the page very fast over and over again; have to open an inPrivate window and manually login to avoid this problem
I’ve seen the refresh issue too, but haven’t found a solution yet. Haven’t experienced errors when creating pin, do you get an error message?
Is there a powershell option for deployment?
I haven’t seen PowerShell cmdlets for this yet.
Nice post Jesper. It looks like you did this right before the unjoin function was built. Here’s a few responses to some open ended questions:
1. Unjoin is now available in System > About
2. Yes, your credentials are cached — just like domain creds. This allows you to sign into Windows without an internet connection
3. The PIN for Passport is a per user function. Each user creates a hardware-backed PIN to make sign in easier. I believe the ability to turn off Passport for Work completely exists now.
4. There is no current bulk enrollment option, PowerShell or otherwise.
5. You can’t add another AAD user profile onto the device explicitly. It would be interesting to understand the use case you are trying to enable. As Jesper states, any user from the tenant can sign in. This will create a user profile for that user for future non-connected sign ins.
6. MDM installation is integrated into the AAD join flow. It just needs to be configured on the tenant.
Re the PIN problem Jesse reports — I’m not sure what image he is installing from his USB. The PIN function came in pretty late in the development so if he is installing a pre-release build after the Win10 update then that could be the cause. Or if he is installing a provisioning package then he might want to check what settings he has configured.
FYI — here’s the latest writeup on the capabilities of AAD Join. https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-windows10-devices/
Best of luck and thanks for sharing what you know.
Is there any way to add back a Win10 device? After changing computer name and deleting the device from Azure AD (the name change was not reflected in Azure AD), the device is still showing up as connected to the organization (System/About) but not showing up on Azure AD.
Jesse – I am also having the PIN issue – please let me know if you resolved it,
Jess – do you have Microsoft Intune?
Most interesting functionality.
I am trying to get two Azure Ad accounts (synced from and on prem AD) on one device: one admin and one user.
So I join the device with the admin account, all fine and set a PIN. Great.
Then I try to add the user account. The problem is that the user account is BOTH a Microsoft Account AND a synced account in Azure AD, and the device seems to add the Microsoft Account. I can’t tell which account has been added: is there an attribute somewhere?
This will be an issue for a lot of accounts where we have in the past had to create a MSA for a domain email address (to access MSDN, Licensing and so on)
Does this also work with an .onmicrosoft.com account? I tried to create a test user on Azure AD ,joined Azure AD on WIndows 10 VM – but was not able to login with the onmicrosoft.com user?
How the hell do I even get to the first picture? God I hate Azure and their trash layout for a website I cant find that first picture page in https://portal.azure.com/…
Please help me before I start pulling out my hairs.
Azure AD is not yet available in the new portal (portal.azure.com). You have to go through the old portal (manage.windowsazure.com) and select Active Directory in the bottom of the left menu.
Has anyone been successful in getting a azure joined Windows 10 machine to pull the account picture from azure AD? Our on prem AD sends them to Azure and if you sign into the portal the picture shows, but it never sends them to the account on the machine.
The picture does not sync from Azure AD to Windows. This would be a feature request.
Hi – i have a device which is a windows 10 anniversary edition, domain joined and azure ad connected. the user device registration log states
“This Device is joined to Azure AD, however, the user did not sign-in with an Azure AD account. Microsoft Passport provisioning will not be enabled. ”
The account I am logging in with is synced with azure ad and has been used to join devices to azure ad. has anyone come across this?
Hi i have noticed that when a user AzureAd joins a device he is given admin permissions on the machine. is it normal if yes how do i change that if i do not want user to remain an Admin on device, and would like to know if the user permissions can be changed to a standard user, once the Joining and Enrolment is done?
Hi, looking to see if anyone has been able to do this with an onmicrosoft account via powershell?
Good afternoon. Something odd that I wanted to run by the group. My organization has Office 365 E3 for all users which in turn gives us the basic/free Azure AD. When I setup my laptop I said that the company owned it and I logged in via Azure AD. Everything works great! I then setup a PIN and configured Windows Hello (Surface book) and that works great as well. Throughout the day Windows pops up the message that “windows needs your current credentials…” message. Since my laptop is joined to Azure it cannot be joined to my local domain. I do have my azure account synced with local AD via the AD Connect tool. At this point I cannot find anything about this message with the same configuration that I have. Does anyone have any ideas?
I am setting up windows 10 with azure for a small organsiation. I have added the computers to the azure domain ok and can create accounts under azure and have people login to the computers using them. The trouble I am having at the moment is that the logins are not staying on the login lock screen. So for an azure user to login they have to go via the ‘other user’ route and type in their full username.
I would like it so they just need to click on their username and type their password or PIN. I have done a bit of digging, it seems like it might be due to thse accounts not being put into a local group on the specific computer. But I haven’t found a way to fix this.