11/25/2019 11:29 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Joining devices to Azure AD in a hybrid world 11/25/2019 11:29 AM THR2238 Joining devices to Azure AD in a hybrid world Sandeep Deo Senior Program Manger, Azure AD © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Key takeaways Understanding the value Joining devices to Azure AD 11/25/2019 11:29 AM Key takeaways Understanding the value Joining devices to Azure AD Understanding the concepts Understanding the options © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Devices growth in Azure AD 107M Total Tenants with Devices 2.6M Monthly Active Devices 40M Monthly Active Tenants 2.2M 6M Total Devices Devices with CA +275% YoY +225% YoY +420% YoY +250% YoY +500% YoY
Why should you bring devices in Azure AD? 11/25/2019 11:29 AM Why should you bring devices in Azure AD? Access control and identity protection Conditional access based on device policies Azure AD Identity Protection through advanced AI Ease of deployment and management Autopilot, bulk provision & self-service deployment Modern device management using Intune Manage device identities in Azure AD portal Seamless, secure and productive experiences for your users Single Sign On (SSO) to cloud and on-premise apps/resources Password-less credentials for secure & easy sign in Settings roamed across devices © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Device states in Azure AD 11/25/2019 11:29 AM Device states in Azure AD Azure AD Azure AD AD Azure Hybrid Azure AD joined Azure AD joined Azure AD registered © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Establishing device trust in Azure AD TechReady 23 11/25/2019 11:29 AM Establishing device trust in Azure AD Trusted if device complies with Intune policy Trusted by virtue of domain join Trusted if device/app complies with Intune policy Hybrid Azure AD joined Azure AD joined Azure AD registered (with MDM) Azure AD registered (with MDM/MAM) Work-owned devices Personal devices © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
For Customers with AD Option 1: Azure AD joined device Step 1 Step 2 Step 3 Step 4 (optional) Win 10 LOB Apps File shares Printers Upgrade to Win 10 Upgrade your PCs Enable AD connect Synchronize identities Join device to Azure AD Sign in using Azure AD credentials Run MMAT Tool to get Configuration Service Providers (CSPs) for existing GPOs Devices can access local resources like LOB apps, file shares, printers when Azure AD Connect is enabled Caveats of Azure AD Joined Device Deployment Method Some GPOs may not map to Intune Win 32 apps relying on machine authentication won’t work Printer path works; AD Printer discovery does not work AAD Join creates a new profile; Profile needs to be manually migrated
User profile migration Caveat of AAD Joined Device Method When a device Azure AD joins, it creates a new profile and doesn’t reference any existing profile Guidance for profile migration User profiles typically include Device state Azure AD joined state New device No profile migration needed Local/ workgroup Profile migration needed Domain joined device Manual Copy/Paste or Find a tool to migrate Profiles, Remaps existing files and settings to new profile Preserves all cache Favorites Local files Browser settings Cached credentials Outlook caches (autofill) Some third-party app settings Start menu configuration
Group Policy Objects (GPOs) Caveat of AAD Joined Device Method Some existing GPOs may not have comparable CSPs in Intune GPOs typically used Guidance: Map a path to management using Intune Mapping drives Start menu customization Desktop background customization Screen saver customization Configure registry settings Have more? Tell us @ Tech Community Run the MMAT tool to get CSPs for comparable policies in Intune Migrate those GPOs that have the CSPs in Intune Evaluate the necessity of those that don’t and report to Microsoft To download MMAT Tool: https://www.microsoft.com/en-us/download/details.aspx?id=45520
Caveat of AAD Joined Device Method Legacy Win 32 apps Caveat of AAD Joined Device Method Win 32 Apps requiring AD Machine Authentication won’t work Apps that work Apps that don’t work Guidance Apps that Support: NTLM, Modern Auth, Kerberos TGT Win 32 Apps that require AD Machine Authentication Evaluate the necessity of Machine auth legacy app; Move to App that supports modern Auth if possible
Caveat of AAD Joined Device Method Printing Caveat of AAD Joined Device Method Some printing scenarios are not supported: Printing scenarios that work Printing scenarios that don’t work Guidance Direct Printer Path AD Printer Discovery Notify users of direct printer path where possible Use a Powershell script from Intune to map the printer Utilize Hybrid Cloud Printing
What if these remediations are insufficient? Caveats of Azure AD joined device Deployment Method AAD Join creates a new profile; Profile needs to be manually migrated Some GPOs may not map to Intune Win 32 apps relying on machine authentication won’t work Printer path works; AD Printer discovery does not work Deploy with Option 2: Hybrid Azure AD joined device config
For Customers with AD Option 2: Device is Hybrid Azure AD Joined Step 1 Step 2 Step 3 Win 10 Azure AD Upgrade to Win 10 Upgrade your PCs Enable AD connect Synchronize identities and then select “Configure device options” from “Additional tasks” screen Allow PC to access device registration endpoints If using outbound authentication proxy, then machine context must be allowed Detailed docs: https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan
Microsoft’s guidance is to use Azure AD Join whenever practical 11/25/2019 11:29 AM Microsoft’s guidance is to use Azure AD Join whenever practical Azure AD joined device config is the preferred path for non domain joined devices Hybrid Azure AD joined device config is the preferred path for existing domain joined devices Always consider Azure AD Join first Consider Using both: Hybrid Azure AD joined device config for existing domain devices and Azure AD joined devices for new devices or device refresh © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Special cases Guidance SCCM If using SCCM and it serves a critical need then use Hybrid Azure AD Joined configuration, or else considering moving some functions to Intune and using Azure AD Joined
Please evaluate this session Your feedback is important to us! 11/25/2019 11:29 AM Please evaluate this session Your feedback is important to us! Please evaluate this session through MyEvaluations on the mobile app or website. Download the app: https://aka.ms/ignite.mobileApp Go to the website: https://myignite.techcommunity.microsoft.com/evaluations © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
11/25/2019 11:29 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.