In this topology called as Cloud Identify Model, we create and manage users in the Office 365 and their user accounts and passwords are stored in Azure AD. No on-premises servers are required. Azure AD comes along with all Office 365 plans.
Azure AD that we get default with our Office365 package behaves similar to on-premise AD but we cannot RDP to it. Remember, Azure AD is the cloud directory!
Azure AD Join is primarily for users to access cloud resources.
- Azure AD Domain Services provides managed domain services such as domain join, group policy, LDAP, Kerberos/NTLM authentication that are fully compatible with Windows Server Active Directory.
- You can consume these domain services without the need to deploy, manage, and patch domain controllers in the cloud.
- Since the domain is managed by Azure AD Domain Services, there is nothing named Domain Administrator or Enterprise Administrator privileges on this domain.
The diagram above represents where our mailbox, user accounts are located in Microsoft Cloud and how our user computers and users are authenticated in order to access our corporate systems.
Configure Azure AD
- Sign in to Azure Admin Portal as Administrator.
- On the left pane, Select Active Directory, the select your directory on the Directory
- Click on Configure
- Scroll to the section called Devices.
- Select ALL for USERS MAY JOIN DEVICES TO AZURE AD. Otherwise, there is option to add specific AD Groups or User who are only permitted to join devices.
- Select 5 for MAXIMUM NUMBER OF DEVICES PER USER. If the user reaches this quota, they will not be able to add additional devices unitl one or more of their existing devices are removed.
- Click Save to save your changes.
Screenshot if you are using Classic View of Azure Portal
Screenshot if you are using the Latest View of Azure Portal
If you want to choose which users are granted local administrator rights to the device, you need Azure AD Premium or Enterprise Mobility Suite.
ADDITIONAL ADMINISTRATORS ON AZURE AD JOINED DEVICES:
By default, Global administrators and device owners are granted local administrator rights by default.
Join Windows 10 to Azure AD
- Users upgrading to Windows 10 can also join their devices to Azure AD.
- There is slight navigation/menu changes in Windows 10 devices for update version prior to 1607 and later. Both are specified in this document.
1. Login to Windows 10 device as Local Administrator
2. Go to Settings > System > About
For Windows 10 devices with update version 1607 or later
Click on “Connect to work or school” option
For Windows 10 devices with update version prior to 1607
Click on “Join Azure AD” option
3. Click on Connect, specify full email address and click Next.
If you come across the next screen then probably you have to double check your Azure AD settings once again.
4. Next, you will be prompted to accept organization policies to be applied to all computers. Click Accept. Your device is now successfully joined to Azure AD.
5. After Azure AD join completes, the user must sign out of the local user account and click the Other User tile to sign in with an Azure AD credential.