As you might know Windows 10 will allow us to use Azure Active Directory (AAD) to manage the device, Microsoft talked about this in the fall (http://blogs.windows.com/business/2014/11/07/windows-10-manageability-choices/) and with the latest public build (9926) the functionality is actually built-in!
I should note that this is preview bits, both Windows 10 and the Azure AD part! There will surely be changed in the UI’s as the development moves on, and errors will be fixed. Any feedback you have should go to Microsoft via the feedback app.
Let’s dive in!
First you have to make sure that Device Registration is enabled on you Azure AD. Go to the Azure portal and browse to your AAD, and select Configure and click Yes where it says Enable workplace join:
Now go to settings on your Windows 10 device. I use Windows 10 on my primary device, but I would really recommend testing this feature on a test device or VM as it’s far from perfect yet. Choose System -> About:
Select Connect to cloud as shown in the picture above. Cloud Experience Host will show up and let you know that you’re about to enroll you device in your organization – click continue:
On the next page enter your AAD credentials and hit Sign in:
If this is your first login or your password has expired you will be asked to update it (after you’ve hit enter, it will clear the fields but not let you know that anything is going on, just give it a minute to do it’s magic):
That’s actually it, the window will close without telling you it’s finished – it’s preview, keep that in mind. Now the device is enrolled in you Azure AD and you can see it under Devices in the users account i AAD (also notice that it says AAD Joined and not Workplace joined like when you use that feature):
If you restart the device or sign out from the current account, you can now sign in with your AAD credentials. Just hit the back arrow and select Other user:
After signing in the Cloud Host Experience window will appear and look like it’s doing something, probably just a bug in the current build:
This has failed every time I’ve done the first login with a user, even when using multiple users, after joining an Azure AD:
The Try again won’t do anything, instead restart the computer and sign in again, then it’ll succeed and ask you to enter a pin. This pin is used for logging in to the device. You can also uncheck Use a simple pin to get more complexity. If you click Cancel it’ll prompt you at next login, so for now it appears that you have to make a pin:
A few things worth mentioning:
- The user that cloud joins the device to Azure AD will be added to the local Administrators group.
- Other users from you Azure AD can also use the device – they will not get admin rights though
- At the moment you cannot “unjoin” a device, from the device at least. The About page will not show any option to do this, but you can block or delete a device from the Azure portal
- When joining the device, if you get an error like “Something went wrong” make sure you have enabled Device Registration. If it still doesn’t work, then try disabling it and enable it again. Worked for me.
That’s it for now. I’ll dive into the experience when using federation (ADFS), Multi-Factor Authentication (MFA) and other exciting stuff soon. This is a really awesome feature if you ask me, and the future looks even cooler.