Ensuring Your Tenant is Ready for Azure AD Join

Ensuring Your Tenant is Ready for Azure AD Join

So I have been asked a few times to walk through a customer's environment ensuring everything is in place for Azure AD join Scenarios. Most Azure AD Tenants come pre-configured for Azure AD Join, but Here are a few of the configurations to what out for and why they are important.

2021-08-11_16-57-53.png
  1. Users may Join Devices to Azure AD:

This is critical because obviously if you block users from Join Devices to Azure AD then obviously this won't work at all. But Different Organizations address this differently. Some select All and enforce restrictions with Azure Conditional Access, or Intune Device Restrictions. (Not saying Intune or any MDM is required for Azure AD Join, but strongly recommended) Other Organizations will restrict Azure AD join to a few, such as a Cloud Device Administrator or an Intune Bulk Enroll Account. I generally always recommend with the All Users approach we can ensure your users are doing this securely as you will see with step 2.

2. Require Multi-Factor Authentication to register or join devices with Azure AD:

This one I always turn OFF. Azure Active Directory Conditional Access is a far more comprehensive solution to just enforcing MFA. Plus if you do any Bulk Enrollment this will cause some headaches.

3. Maximum number of devices per user:

This is always an interesting discussion, My feelings are if you are enforcing conditional access as well as enrollment restrictions in your MDM. I really don’t see the need to set a limit here, I have mine configured to unlimited though the default is 20 devices. Some organizations though feel this is too loose and enforce a restriction to keep users from taking advantage of join scenarios. My only recommendation is to keep in mind your users' needs and set according, setting to low can cause unnecessary overhead for you, to high can be seen as a security risk.

4. Additional local administrators on all Azure AD joined devices:

This is where you can explicit define local administrators assigned to all Windows based Azure AD Devices. Though this is one solution you can also use the Azure AD Role "Azure AD joined device local administrator" and this can go even further using PIM privileged Identity Management if you want to provision user local admin right for a period of time. Very Slick..

How to manage local administrators on Azure AD joined devices | Microsoft Docs

5. Enterprise State Roaming:

This is a feature in my opinion is really undervalued. Though not required for Azure AD join, provides an enormous value for your end users by roaming many of the users common configuration across all there Azure AD join Devices.  Though not all of these will roam to Windows 11, like wall paper being able to rebuild your Azure AD joined machine and have your Browser Settings, Wi-Fi Settings, and Ease of access follow you can save A LOT of down time.

  • Theme, which includes features such as desktop theme and taskbar settings.

  • Internet Explorer settings, including recently opened tabs and favorites.

  • Microsoft Edge browser settings, such as favorites and reading list.

  • Passwords, including Internet passwords, Wi-Fi profiles, and others.

  • Language preferences, which include settings for keyboard layouts, system language, date and time, and more.

  • Ease of access features, such as high-contrast theme, Narrator, and Magnifier.

  • Other Windows settings, such as mouse settings.

What is enterprise state roaming in Azure Active Directory? | Microsoft Docs

What's this Mobility stuff in Azure Active Directory?

What's this Mobility stuff in Azure Active Directory?

Always start with Azure AD Join

Always start with Azure AD Join