Azure AD Device Identity Documentation
Azure AD Device Identity Documentation
With the proliferation of devices of all shapes and sizes and the Bring Your Own Device (BYOD) concept, IT
professionals are faced with two somewhat opposing goals:
Allow end users to be productive wherever and whenever
Protect the organization's assets
To protect these assets, IT staff need to first manage the device identities. IT staff can build on the device identity
with tools like Microsoft Intune to ensure standards for security and compliance are met. Azure Active Directory
(Azure AD) enables single sign-on to devices, apps, and services from anywhere through these devices.
Your users get access to your organization's assets they need.
Your IT staff get the controls they need to secure your organization.
Device identity management is the foundation for device-based Conditional Access. With device-based
Conditional Access policies, you can ensure that access to resources in your environment is only possible with
managed devices.
Device management
Devices in Azure AD can be managed using Mobile Device Management (MDM) tools like Microsoft Intune,
Microsoft Endpoint Configuration Manager, Group Policy (hybrid Azure AD join), Mobile Application
Management (MAM) tools, or other third-party tools.
Resource access
Registering and joining devices to Azure AD gives your users Seamless Sign-on (SSO) to cloud resources. This
process also allows administrators the ability to apply Conditional Access policies to resources based on the
device they are accessed from.
NOTE
Device-based Conditional Access policies require either hybrid Azure AD joined devices or compliant Azure AD joined or
Azure AD registered devices.
The primary refresh token (PRT) contains information about the device and is required for SSO. If you have a
device-based Conditional Access policy set on an application, without the PRT, access is denied. Hybrid
Conditional Access policies require a hybrid state device and a valid user who is signed in.
Devices that are Azure AD joined or hybrid Azure AD joined benefit from SSO to your organization's on-premises
resources as well as cloud resources. More information can be found in the article, How SSO to on-premises
resources works on Azure AD joined devices.
Device security
Azure AD registered devices utilize an account managed by the end user, this account is either a Microsoft
account or another locally managed credential secured with one or more of the following.
Password
PIN
Pattern
Windows Hello
Azure AD joined or hybrid Azure AD joined devices utilize an organizational account in Azure AD
secured with one or more of the following.
Password
Windows Hello for Business
Provisioning
Getting devices in to Azure AD can be done in a self-service manner or a controlled provisioning process by
administrators.
Summary
With device identity management in Azure AD, you can:
Simplify the process of bringing and managing devices in Azure AD
Provide your users with an easy to use access to your organization's cloud-based resources
License requirements
Using this feature requires an Azure AD Premium P1 license. To find the right license for your requirements,
see Comparing generally available features of the Free, Basic, and Premium editions.
Next steps
Learn more about Azure AD registered devices
Learn more about Azure AD joined devices
Learn more about hybrid Azure AD joined devices
To get an overview of how to manage device identities in the Azure portal, see Managing device identities
using the Azure portal.
To learn more about device-based Conditional Access, see Configure Azure Active Directory device-based
Conditional Access policies.
What is enterprise state roaming?
2/13/2020 • 2 minutes to read • Edit Online
With Windows 10, Azure Active Directory (Azure AD) users gain the ability to securely synchronize their user
settings and application settings data to the cloud. Enterprise State Roaming provides users with a unified
experience across their Windows devices and reduces the time needed for configuring a new device. Enterprise
State Roaming operates similar to the standard consumer settings sync that was first introduced in Windows 8.
Additionally, Enterprise State Roaming offers:
Separation of corporate and consumer data – Organizations are in control of their data, and there is no
mixing of corporate data in a consumer cloud account or consumer data in an enterprise cloud account.
Enhanced security – Data is automatically encrypted before leaving the user’s Windows 10 device by using
Azure Rights Management (Azure RMS), and data stays encrypted at rest in the cloud. All content stays
encrypted at rest in the cloud, except for the namespaces, like settings names and Windows app names.
Better management and monitoring – Provides control and visibility over who syncs settings in your
organization and on which devices through the Azure AD portal integration.
Enterprise State Roaming is available in multiple Azure regions. You can find the updated list of available regions
on the Azure Services by Regions page under Azure Active Directory.
A RT IC L E DESC RIP T IO N
Enable Enterprise State Roaming in Azure Active Directory Enterprise State Roaming is available to any organization with
a Premium Azure Active Directory (Azure AD) subscription.
For more information on how to get an Azure AD
subscription, see the Azure AD product page.
Settings and data roaming FAQ This article answers some questions IT administrators might
have about settings and app data sync.
Group policy and MDM settings for settings sync Windows 10 provides Group Policy and mobile device
management (MDM) policy settings to limit settings sync.
Windows 10 roaming settings reference A list of settings that will be roamed and/or backed-up in
Windows 10.
Next steps
For information about enabling enterprise state roaming, see enable enterprise state roaming.
Tutorial: Configure hybrid Azure Active Directory join
for managed domains
9/7/2020 • 7 minutes to read • Edit Online
In this tutorial, you learn how to configure hybrid Azure Active Directory (Azure AD) join for Active Directory
domain-joined devices. This method supports a managed environment that includes both on-premises Active
Directory and Azure AD.
Like a user in your organization, a device is a core identity you want to protect. You can use a device's identity to
protect your resources at any time and from any location. You can accomplish this goal by managing device
identities in Azure AD. Use one of the following methods:
Azure AD join
Hybrid Azure AD join
Azure AD registration
This article focuses on hybrid Azure AD join.
Bringing your devices to Azure AD maximizes user productivity through single sign-on (SSO) across your cloud
and on-premises resources. You can secure access to your cloud and on-premises resources with Conditional
Access at the same time.
You can deploy a managed environment by using password hash sync (PHS) or pass-through authentication (PTA)
with seamless single sign-on. These scenarios don't require you to configure a federation server for authentication.
In this tutorial, you learn how to:
Configure hybrid Azure AD join
Enable Windows down-level devices
Verify joined devices
Troubleshoot
Prerequisites
The Azure AD Connect (1.1.819.0 or later)
The credentials of a global administrator for your Azure AD tenant
The enterprise administrator credentials for each of the forests
Familiarize yourself with these articles:
What is a device identity?
How To: Plan your hybrid Azure Active Directory join implementation
Controlled validation of hybrid Azure AD join
NOTE
Azure AD doesn't support smartcards or certificates in managed domains.
Verify that Azure AD Connect has synced the computer objects of the devices you want to be hybrid Azure AD
joined to Azure AD. If the computer objects belong to specific organizational units (OUs), configure the OUs to sync
in Azure AD Connect. To learn more about how to sync computer objects by using Azure AD Connect, see
Organizational unit–based filtering.
Beginning with version 1.1.819.0, Azure AD Connect includes a wizard to configure hybrid Azure AD join. The
wizard significantly simplifies the configuration process. The wizard configures the service connection points
(SCPs) for device registration.
The configuration steps in this article are based on using the wizard in Azure AD Connect.
Hybrid Azure AD join requires devices to have access to the following Microsoft resources from inside your
organization's network:
https://enterpriseregistration.windows.net
https://login.microsoftonline.com
https://device.login.microsoftonline.com
https://autologon.microsoftazuread-sso.com (If you use or plan to use seamless SSO)
WARNING
If your organization uses proxy servers that intercept SSL traffic for scenarios like data loss prevention or Azure AD tenant
restrictions, ensure that traffic to 'https://device.login.microsoftonline.com' is excluded from TLS break-and-inspect. Failure to
exclude 'https://device.login.microsoftonline.com' may cause interference with client certificate authentication, causing issues
with device registration and device-based Conditional Access.
If your organization requires access to the internet via an outbound proxy, you can use implementing Web Proxy
Auto-Discovery (WPAD) to enable Windows 10 computers for device registration with Azure AD. To address issues
configuring and managing WPAD, see Troubleshooting Automatic Detection. In Windows 10 devices prior to 1709
update, WPAD is the only available option to configure a proxy to work with Hybrid Azure AD join.
If you don't use WPAD, you can configure WinHTTP proxy settings on your computer beginning with Windows 10
1709. For more information, see WinHTTP Proxy Settings deployed by GPO.
NOTE
If you configure proxy settings on your computer by using WinHTTP settings, any computers that can't connect to the
configured proxy will fail to connect to the internet.
If your organization requires access to the internet via an authenticated outbound proxy, make sure that your
Windows 10 computers can successfully authenticate to the outbound proxy. Because Windows 10 computers run
device registration by using machine context, configure outbound proxy authentication by using machine context.
Follow up with your outbound proxy provider on the configuration requirements.
Verify the device can access the above Microsoft resources under the system account by using the Test Device
Registration Connectivity script.
5. In Device options , select Configure Hybrid Azure AD join , and then select Next .
6. In SCP configuration , for each forest where you want Azure AD Connect to configure the SCP, complete
the following steps, and then select Next .
a. Select the Forest .
b. Select an Authentication Ser vice .
c. Select Add to enter the enterprise administrator credentials.
7. In Device operating systems , select the operating systems that devices in your Active Directory
environment use, and then select Next .
8. In Ready to configure , select Configure .
NOTE
Windows 7 support ended on January 14, 2020. For more information, see Windows 7 support ended.
You also must enable Allow updates to status bar via script in the user's local intranet zone.
Configure seamless SSO
To complete hybrid Azure AD join of your Windows down-level devices in a managed domain that uses password
hash sync or pass-through authentication as your Azure AD cloud authentication method, you must also configure
seamless SSO.
Install Microsoft Workplace Join for Windows down-level computers
To register Windows down-level devices, organizations must install Microsoft Workplace Join for non-Windows 10
computers. Microsoft Workplace Join for non-Windows 10 computers is available in the Microsoft Download
Center.
You can deploy the package by using a software distribution system likeMicrosoft Endpoint Configuration
Manager. The package supports the standard silent installation options with the quiet parameter. The current
version of Configuration Manager offers benefits over earlier versions, like the ability to track completed
registrations.
The installer creates a scheduled task on the system that runs in the user context. The task is triggered when the
user signs in to Windows. The task silently joins the device with Azure AD by using the user credentials after it
authenticates with Azure AD.
Next steps
Advance to the next article to learn how to manage device identities by using the Azure portal.
Manage device identities
Tutorial: Configure hybrid Azure Active Directory join
for federated domains
9/7/2020 • 8 minutes to read • Edit Online
Like a user in your organization, a device is a core identity you want to protect. You can use a device's identity to
protect your resources at any time and from any location. You can accomplish this goal by bringing device
identities and managing them in Azure Active Directory (Azure AD) by using one of the following methods:
Azure AD join
Hybrid Azure AD join
Azure AD registration
Bringing your devices to Azure AD maximizes user productivity through single sign-on (SSO) across your cloud
and on-premises resources. You can secure access to your cloud and on-premises resources with Conditional
Access at the same time.
A federated environment should have an identity provider that supports the following requirements. If you have a
federated environment using Active Directory Federation Services (AD FS), then the below requirements are
already supported.
WIAORMULTIAUTHN claim: This claim is required to do hybrid Azure AD join for Windows down-level
devices.
WS-Trust protocol: This protocol is required to authenticate Windows current hybrid Azure AD joined devices
with Azure AD. When you're using AD FS, you need to enable the following WS-Trust endpoints:
/adfs/services/trust/2005/windowstransport /adfs/services/trust/13/windowstransport
/adfs/services/trust/2005/usernamemixed /adfs/services/trust/13/usernamemixed
/adfs/services/trust/2005/certificatemixed /adfs/services/trust/13/certificatemixed
WARNING
Both adfs/ser vices/trust/2005/windowstranspor t and adfs/ser vices/trust/13/windowstranspor t should be
enabled as intranet facing endpoints only and must NOT be exposed as extranet facing endpoints through the Web
Application Proxy. To learn more on how to disable WS-Trust Windows endpoints, see Disable WS-Trust Windows endpoints
on the proxy. You can see what endpoints are enabled through the AD FS management console under Ser vice >
Endpoints .
In this tutorial, you learn how to configure hybrid Azure AD join for Active Directory domain-joined computers
devices in a federated environment by using AD FS.
You learn how to:
Configure hybrid Azure AD join
Enable Windows downlevel devices
Verify the registration
Troubleshoot
Prerequisites
This tutorial assumes that you're familiar with these articles:
What is a device identity?
How to plan your hybrid Azure AD join implementation
How to do controlled validation of hybrid Azure AD join
To configure the scenario in this tutorial, you need:
Windows Server 2012 R2 with AD FS
Azure AD Connect version 1.1.819.0 or later
Beginning with version 1.1.819.0, Azure AD Connect includes a wizard that you can use to configure hybrid Azure
AD join. The wizard significantly simplifies the configuration process. The related wizard:
Configures the service connection points (SCPs) for device registration
Backs up your existing Azure AD relying party trust
Updates the claim rules in your Azure AD trust
The configuration steps in this article are based on using the Azure AD Connect wizard. If you have an earlier
version of Azure AD Connect installed, you must upgrade it to 1.1.819 or later to use the wizard. If installing the
latest version of Azure AD Connect isn't an option for you, see how to manually configure hybrid Azure AD join.
Hybrid Azure AD join requires devices to have access to the following Microsoft resources from inside your
organization's network:
https://enterpriseregistration.windows.net
https://login.microsoftonline.com
https://device.login.microsoftonline.com
Your organization's Security Token Service (STS) (For federated domains)
https://autologon.microsoftazuread-sso.com (If you use or plan to use seamless SSO)
WARNING
If your organization uses proxy servers that intercept SSL traffic for scenarios like data loss prevention or Azure AD tenant
restrictions, ensure that traffic to 'https://device.login.microsoftonline.com' is excluded from TLS break-and-inspect. Failure to
exclude 'https://device.login.microsoftonline.com' may cause interference with client certificate authentication, causing issues
with device registration and device-based Conditional Access.
Beginning with Windows 10 1803, if the instantaneous hybrid Azure AD join for a federated environment by using
AD FS fails, we rely on Azure AD Connect to sync the computer object in Azure AD that's subsequently used to
complete the device registration for hybrid Azure AD join. Verify that Azure AD Connect has synced the computer
objects of the devices you want to be hybrid Azure AD joined to Azure AD. If the computer objects belong to
specific organizational units (OUs), you must also configure the OUs to sync in Azure AD Connect. To learn more
about how to sync computer objects by using Azure AD Connect, see Configure filtering by using Azure AD
Connect.
If your organization requires access to the internet via an outbound proxy, Microsoft recommends implementing
Web Proxy Auto-Discovery (WPAD) to enable Windows 10 computers for device registration with Azure AD. If you
encounter issues configuring and managing WPAD, see Troubleshoot automatic detection.
If you don't use WPAD and want to configure proxy settings on your computer, you can do so beginning with
Windows 10 1709. For more information, see Configure WinHTTP settings by using a group policy object (GPO).
NOTE
If you configure proxy settings on your computer by using WinHTTP settings, any computers that can't connect to the
configured proxy will fail to connect to the internet.
If your organization requires access to the internet via an authenticated outbound proxy, you must make sure that
your Windows 10 computers can successfully authenticate to the outbound proxy. Because Windows 10
computers run device registration by using machine context, you must configure outbound proxy authentication
by using machine context. Follow up with your outbound proxy provider on the configuration requirements.
To verify if the device is able to access the above Microsoft resources under the system account, you can use Test
Device Registration Connectivity script.
2. On the Additional tasks page, select Configure device options , and then select Next .
3. On the Over view page, select Next .
4. On the Connect to Azure AD page, enter the credentials of a global administrator for your Azure AD
tenant, and then select Next .
5. On the Device options page, select Configure Hybrid Azure AD join , and then select Next .
6. On the SCP page, complete the following steps, and then select Next :
a. Select the forest.
b. Select the authentication service. You must select AD FS ser ver unless your organization has
exclusively Windows 10 clients and you have configured computer/device sync, or your organization
uses seamless SSO.
c. Select Add to enter the enterprise administrator credentials.
7. On the Device operating systems page, select the operating systems that the devices in your Active
Directory environment use, and then select Next .
8. On the Federation configuration page, enter the credentials of your AD FS administrator, and then select
Next .
NOTE
Windows 7 support ended on January 14, 2020. For more information, Support for Windows 7 has ended.
You also must enable Allow updates to status bar via script in the user’s local intranet zone.
Install Microsoft Workplace Join for Windows downlevel computers
To register Windows downlevel devices, organizations must install Microsoft Workplace Join for non-Windows 10
computers. Microsoft Workplace Join for non-Windows 10 computers is available in the Microsoft Download
Center.
You can deploy the package by using a software distribution system likeMicrosoft Endpoint Configuration
Manager. The package supports the standard silent installation options with the quiet parameter. The current
branch of Configuration Manager offers benefits over earlier versions, like the ability to track completed
registrations.
The installer creates a scheduled task on the system that runs in the user context. The task is triggered when the
user signs in to Windows. The task silently joins the device with Azure AD by using the user credentials after it
authenticates with Azure AD.
Next steps
Learn how to manage device identities by using the Azure portal.
Tutorial: Configure hybrid Azure Active Directory
joined devices manually
9/7/2020 • 17 minutes to read • Edit Online
With device management in Azure Active Directory (Azure AD), you can ensure that users are accessing your
resources from devices that meet your standards for security and compliance. For more information, see
Introduction to device management in Azure Active Directory.
TIP
If using Azure AD Connect is an option for you, see the related tutorials for managed or federated domains. By using Azure
AD Connect, you can significantly simplify the configuration of hybrid Azure AD join.
If you have an on-premises Active Directory environment and you want to join your domain-joined devices to
Azure AD, you can accomplish this by configuring hybrid Azure AD joined devices. In this tutorial, you learn how to:
Manually configure hybrid Azure AD join
Configure a service connection point
Set up issuance of claims
Enable Windows down-level devices
Verify joined devices
Troubleshoot your implementation
Prerequisites
This tutorial assumes that you're familiar with:
Introduction to device management in Azure Active Directory
Plan your hybrid Azure Active Directory join implementation
Control the hybrid Azure AD join of your devices
Before you start enabling hybrid Azure AD joined devices in your organization, make sure that:
You're running an up-to-date version of Azure AD Connect.
Azure AD Connect has synchronized the computer objects of the devices you want to be hybrid Azure AD joined
to Azure AD. If the computer objects belong to specific organizational units (OUs), these OUs need to be
configured for synchronization in Azure AD Connect as well.
Azure AD Connect:
Keeps the association between the computer account in your on-premises Active Directory instance and the
device object in Azure AD.
Enables other device-related features, like Windows Hello for Business.
Make sure that the following URLs are accessible from computers inside your organization's network for
registration of computers to Azure AD:
https://enterpriseregistration.windows.net
https://login.microsoftonline.com
https://device.login.microsoftonline.com
Your organization's STS (for federated domains), which should be included in the user's local intranet settings
WARNING
If your organization uses proxy servers that intercept SSL traffic for scenarios like data loss prevention or Azure AD tenant
restrictions, ensure that traffic to 'https://device.login.microsoftonline.com' is excluded from TLS break-and-inspect. Failure to
exclude 'https://device.login.microsoftonline.com' may cause interference with client certificate authentication, causing issues
with device registration and device-based Conditional Access.
If your organization plans to use Seamless SSO, the following URL needs to be reachable from the computers
inside your organization. It must also be added to the user's local intranet zone.
https://autologon.microsoftazuread-sso.com
Also, the following setting should be enabled in the user's intranet zone: "Allow status bar updates via script."
If your organization uses managed (non-federated) setup with on-premises Active Directory and does not use
Active Directory Federation Services (AD FS) to federate with Azure AD, then hybrid Azure AD join on Windows 10
relies on the computer objects in Active Directory to be synced to Azure AD. Make sure that any OUs that contain
the computer objects that need to be hybrid Azure AD joined are enabled for sync in the Azure AD Connect sync
configuration.
For Windows 10 devices on version 1703 or earlier, if your organization requires access to the internet via an
outbound proxy, you must implement Web Proxy Auto-Discovery (WPAD) to enable Windows 10 computers to
register to Azure AD.
Beginning with Windows 10 1803, even if a hybrid Azure AD join attempt by a device in a federated domain
through AD FS fails, and if Azure AD Connect is configured to sync the computer/device objects to Azure AD, the
device will try to complete the hybrid Azure AD join by using the synced computer/device.
To verify if the device is able to access the above Microsoft resources under the system account, you can use Test
Device Registration Connectivity script.
W IN DO W S C URREN T A N D W IN DO W S C URREN T A N D
ST EP S PA SSW O RD H A SH SY N C F EDERAT IO N W IN DO W S DO W N - L EVEL
Configure service
connection point
Enable non-Windows 10
devices
In your forest, the SCP object for the auto-registration of domain-joined devices is located at:
CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,[Your Configuration
Naming Context]
Depending on how you have deployed Azure AD Connect, the SCP object might have already been configured. You
can verify the existence of the object and retrieve the discovery values by using the following Windows PowerShell
script:
$scp.Keywords;
The $scp.Keywords output shows the Azure AD tenant information. Here's an example:
azureADName:microsoft.com
azureADId:72f988bf-86f1-41af-91ab-2d7cd011db47
If the service connection point does not exist, you can create it by running the
Initialize-ADSyncDomainJoinedComputerSync cmdlet on your Azure AD Connect server. Enterprise admin credentials
are required to run this cmdlet.
The cmdlet:
Creates the service connection point in the Active Directory forest that Azure AD Connect is connected to.
Requires you to specify the AdConnectorAccount parameter. This account is configured as the Active Directory
connector account in Azure AD Connect.
The following script shows an example for using the cmdlet. In this script, $aadAdminCred = Get-Credential requires
you to type a user name. You need to provide the user name in the user principal name (UPN) format (
[email protected] ).
$aadAdminCred = Get-Credential;
$verifiedDomain = "contoso.com" # Replace this with any of your verified domain names in Azure AD
$tenantID = "72f988bf-86f1-41af-91ab-2d7cd011db47" # Replace this with you tenant ID
$configNC = "CN=Configuration,DC=corp,DC=contoso,DC=com" # Replace this with your Active Directory
configuration naming context
$deSCP.CommitChanges()
In the preceding script, $verifiedDomain = "contoso.com" is a placeholder. Replace it with one of your verified
domain names in Azure AD. You have to own the domain before you can use it.
For more information about verified domain names, see Add a custom domain name to Azure Active Directory.
To get a list of your verified company domains, you can use the Get-AzureADDomain cmdlet.
NOTE
If you don’t have AD FS as your on-premises federation service, follow the instructions from your vendor to make sure they
support WS-Trust 1.3 or 2005 endpoints and that these are published through the Metadata Exchange file (MEX).
For device registration to finish, the following claims must exist in the token that Azure DRS receives. Azure DRS
will create a device object in Azure AD with some of this information. Azure AD Connect then uses this information
to associate the newly created device object with the computer account on-premises.
http://schemas.microsoft.com/ws/2012/01/accounttype
http://schemas.microsoft.com/identity/claims/onpremobjectguid
http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid
If you have more than one verified domain name, you need to provide the following claim for computers:
http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid
If you're already issuing an ImmutableID claim (for example, using mS-DS-ConsistencyGuid or another attribute as
the source value for the ImmutableID), you need to provide one corresponding claim for computers:
http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID
NOTE
If you don’t use AD FS for your on-premises federation server, follow your vendor's instructions to create the appropriate
configuration to issue these claims.
Issue issuerID for the computer when multiple verified domain names are in Azure AD
The http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid claim must contain the Uniform Resource
Identifier (URI) of any of the verified domain names that connect with the on-premises federation service (AD FS or
partner) issuing the token. In AD FS, you can add issuance transform rules that look like the following ones in that
specific order, after the preceding ones. Note that one rule to explicitly issue the rule for users is necessary. In the
following rules, a first rule that identifies user versus computer authentication is added.
@RuleName = "Issue account type with the value User when its not a computer"
NOT EXISTS(
[
Type == "http://schemas.microsoft.com/ws/2012/01/accounttype",
Value == "DJ"
]
)
=> add(
Type = "http://schemas.microsoft.com/ws/2012/01/accounttype",
Value = "User"
);
@RuleName = "Capture UPN when AccountType is User and issue the IssuerID"
c1:[
Type == "http://schemas.xmlsoap.org/claims/UPN"
]
&&
c2:[
Type == "http://schemas.microsoft.com/ws/2012/01/accounttype",
Value == "User"
]
=> issue(
Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid",
Value = regexreplace(
c1.Value,
".+@(?<domain>.+)",
"http://${domain}/adfs/services/trust/"
)
);
In the preceding claim, <verified-domain-name> is a placeholder. Replace it with one of your verified domain names
in Azure AD. For example, use Value = "http://contoso.com/adfs/services/trust/" .
For more information about verified domain names, see Add a custom domain name to Azure Active Directory.
To get a list of your verified company domains, you can use the Get-MsolDomain cmdlet.
Issue ImmutableID for the computer when one for users exists (for example, using mS -DS -ConsistencyGuid as
the source for ImmutableID)
The http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID claim must contain a valid value for
computers. In AD FS, you can create an issuance transform rule as follows:
@RuleName = "Issue ImmutableID for computers"
c1:[
Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
Value =~ "-515$",
Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
]
&&
c2:[
Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
]
=> issue(
store = "Active Directory",
types = ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"),
query = ";objectguid;{0}",
param = c2.Value
);
$multipleVerifiedDomainNames = $false
$immutableIDAlreadyIssuedforUsers = $false
$oneOfVerifiedDomainNames = 'example.com' # Replace example.com with one of your verified domains
$rule4 = ''
if ($multipleVerifiedDomainNames -eq $true) {
$rule4 = '@RuleName = "Issue account type with the value User when it is not a computer"
NOT EXISTS(
[
Type == "http://schemas.microsoft.com/ws/2012/01/accounttype",
Value == "DJ"
]
)
=> add(
Type = "http://schemas.microsoft.com/ws/2012/01/accounttype",
Value = "User"
);
@RuleName = "Capture UPN when AccountType is User and issue the IssuerID"
c1:[
Type == "http://schemas.xmlsoap.org/claims/UPN"
]
&&
c2:[
Type == "http://schemas.microsoft.com/ws/2012/01/accounttype",
Value == "User"
]
=> issue(
Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid",
Value = regexreplace(
c1.Value,
".+@(?<domain>.+)",
"http://${domain}/adfs/services/trust/"
)
);
$rule5 = ''
if ($immutableIDAlreadyIssuedforUsers -eq $true) {
$rule5 = '@RuleName = "Issue ImmutableID for computers"
c1:[
Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
Value =~ "-515$",
Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
]
&&
c2:[
Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
]
=> issue(
store = "Active Directory",
types = ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"),
query = ";objectguid;{0}",
param = c2.Value
);'
}
Remarks
This script appends the rules to the existing rules. Do not run the script twice, because the set of rules would
be added twice. Make sure that no corresponding rules exist for these claims (under the corresponding
conditions) before running the script again.
If you have multiple verified domain names (as shown in the Azure AD portal or via the Get-MsolDomain
cmdlet), set the value of $multipleVerifiedDomainNames in the script to $true . Also make sure that you
remove any existing issuerid claim that might have been created by Azure AD Connect or via other means.
Here's an example for this rule:
c:[Type == "http://schemas.xmlsoap.org/claims/UPN"]
=> issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value =
regexreplace(c.Value, ".+@(?<domain>.+)", "http://${domain}/adfs/services/trust/"));
If you have already issued an ImmutableID claim for user accounts, set the value of
$immutableIDAlreadyIssuedforUsers in the script to $true .
eyJQcm9wZXJ0aWVzIjpbeyJLZXkiOiJhY3IiLCJWYWx1ZSI6IndpYW9ybXVsdGlhdXRobiJ9XX0
When such a request comes, the on-premises federation service must authenticate the user by using Integrated
Windows Authentication. When authentication is successful, the federation service must issue the following two
claims:
http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows
http://schemas.microsoft.com/claims/wiaormultiauthn
In AD FS, you must add an issuance transform rule that passes through the authentication method. To add this rule:
1. In the AD FS management console, go to AD FS > Trust Relationships > Relying Par ty Trusts .
2. Right-click the Microsoft Office 365 Identity Platform relying party trust object, and then select Edit Claim
Rules .
3. On the Issuance Transform Rules tab, select Add Rule .
4. In the Claim rule template list, select Send Claims Using a Custom Rule .
5. Select Next .
6. In the Claim rule name box, enter Auth Method Claim Rule .
7. In the Claim rule box, enter the following rule:
c:[Type == "http://schemas.microsoft.com/claims/authnmethodsreferences"] => issue(claim = c);
8. On your federation server, enter the following PowerShell command. Replace <RPObjectName> with the
relying party object name for your Azure AD relying party trust object. This object usually is named
Microsoft Office 365 Identity Platform .
Set-AdfsRelyingPartyTrust -TargetName <RPObjectName> -AllowedAuthenticationClassReferences
wiaormultiauthn
Add the Azure AD device authentication endpoint to the local intranet zones
To avoid certificate prompts when users of registered devices authenticate to Azure AD, you can push a policy to
your domain-joined devices to add the following URL to the local intranet zone in Internet Explorer:
https://device.login.microsoftonline.com
Next steps
Introduction to device management in Azure Active Directory
Tutorial: Join a new Windows 10 device with Azure
AD during a first run
9/7/2020 • 2 minutes to read • Edit Online
With device management in Azure Active Directory (Azure AD), you can ensure that your users are accessing your
resources from devices that meet your standards for security and compliance. For more information, see the
introduction to device management in Azure Active Directory.
With Windows 10, You can join a new device to Azure AD during the first-run experience (FRX).
This enables you to distribute shrink-wrapped devices to your employees or students.
If you have either Windows 10 Professional or Windows 10 Enterprise installed on a device, the experience defaults
to the setup process for company-owned devices.
In the Windows out-of-box experience, joining an on-premises Active Directory (AD) domain is not supported. If
you plan to join a computer to an AD domain, during setup, you should select the link Set up Windows with a
local account . You can then join the domain from the settings on your computer.
In this tutorial, you learn how to join a device to Azure AD during FRX:
Prerequisites
Joining a device
Verification
Prerequisites
To join a Windows 10 device, the device registration service must be configured to enable you to register devices.
In addition to having permission to joining devices in your Azure AD tenant, you must have fewer devices
registered than the configured maximum. For more information, see configure device settings.
In addition, if your tenant is federated, your Identity provider MUST support WS-Fed and WS-Trust
username/password endpoint. This can be version 1.3 or 2005. This protocol support is required to both join the
device to Azure AD and sign in to the device with a password.
Joining a device
To join a Windows 10 device to Azure AD during FRX:
1. When you turn on your new device and start the setup process, you should see the Getting Ready
message. Follow the prompts to set up your device.
2. Start by customizing your region and language. Then accept the Microsoft Software License Terms.
3. Select the network you want to use for connecting to the Internet.
4. Click This device belongs to my organization .
5. Enter the credentials that were provided to you by your organization, and then click Sign in .
6. Your device locates a matching tenant in Azure AD. If you are in a federated domain, you are redirected to
your on-premises Secure Token Service (STS) server, for example, Active Directory Federation Services (AD
FS).
7. If you are a user in a non-federated domain, enter your credentials directly on the Azure AD-hosted page.
8. You are prompted for a multi-factor authentication challenge.
9. Azure AD checks whether an enrollment in mobile device management is required.
10. Windows registers the device in the organization’s directory in Azure AD and enrolls it in mobile device
management, if applicable.
11. If you are:
A managed user, Windows takes you to the desktop through the automatic sign-in process.
A federated user, you are directed to the Windows sign-in screen to enter your credentials.
Verification
To verify whether a device is joined to your Azure AD, review the Access work or school dialog on your Windows
device. The dialog should indicate that you are connected to your Azure AD directory.
Next steps
For more information, see the introduction to device management in Azure Active Directory.
For more information about managing devices in the Azure AD portal, see managing devices using the Azure
portal.
Azure AD registered devices
9/7/2020 • 2 minutes to read • Edit Online
The goal of Azure AD registered devices is to provide your users with support for the Bring Your Own Device
(BYOD) or mobile device scenarios. In these scenarios, a user can access your organization’s Azure Active Directory
controlled resources using a personal device.
Mobile devices
Password
Windows Hello
PIN
Azure AD registered devices are signed in to using a local account like a Microsoft account on a Windows 10
device, but additionally have an Azure AD account attached for access to organizational resources. Access to
resources in the organization can be further limited based on that Azure AD account and Conditional Access
policies applied to the device identity.
Administrators can secure and further control these Azure AD registered devices using Mobile Device
Management (MDM) tools like Microsoft Intune. MDM provides a means to enforce organization-required
configurations like requiring storage to be encrypted, password complexity, and security software kept updated.
Azure AD registration can be accomplished when accessing a work application for the first time or manually using
the Windows 10 Settings menu.
Scenarios
A user in your organization wants to access tools for email, reporting time-off, and benefits enrollment from their
home PC. Your organization has these tools behind a Conditional Access policy that requires access from an Intune
compliant device. The user adds their organization account and registers their home PC with Azure AD and the
required Intune policies are enforced giving the user access to their resources.
Another user wants to access their organizational email on their personal Android phone that has been rooted.
Your company requires a compliant device and has created an Intune compliance policy to block any rooted
devices. The employee is stopped from accessing organizational resources on this device.
Next steps
Manage device identities using the Azure portal
Manage stale devices in Azure AD
Azure AD joined devices
9/7/2020 • 3 minutes to read • Edit Online
Azure AD join is intended for organizations that want to be cloud-first or cloud-only. Any organization can deploy
Azure AD joined devices no matter the size or industry. Azure AD join works even in a hybrid environment,
enabling access to both cloud and on-premises apps and resources.
Bulk enrollment
Windows Autopilot
Password
Azure AD joined devices are signed in to using an organizational Azure AD account. Access to resources in the
organization can be further limited based on that Azure AD account and Conditional Access policies applied to the
device identity.
Administrators can secure and further control Azure AD joined devices using Mobile Device Management (MDM)
tools like Microsoft Intune or in co-management scenarios using Microsoft Endpoint Configuration Manager. These
tools provide a means to enforce organization-required configurations like requiring storage to be encrypted,
password complexity, software installations, and software updates. Administrators can make organization
applications available to Azure AD joined devices using Configuration Manager to Manage apps from the
Microsoft Store for Business and Education.
Azure AD join can be accomplished using self-service options like the Out of Box Experience (OOBE), bulk
enrollment, or Windows Autopilot.
Azure AD joined devices can still maintain single sign-on access to on-premises resources when they are on the
organization's network. Devices that are Azure AD joined can still authenticate to on-premises servers like file,
print, and other applications.
Scenarios
While Azure AD join is primarily intended for organizations that do not have an on-premises Windows Server
Active Directory infrastructure, you can certainly use it in scenarios where:
You want to transition to cloud-based infrastructure using Azure AD and MDM like Intune.
You can’t use an on-premises domain join, for example, if you need to get mobile devices such as tablets and
phones under control.
Your users primarily need to access Office 365 or other SaaS apps integrated with Azure AD.
You want to manage a group of users in Azure AD instead of in Active Directory. This scenario can apply, for
example, to seasonal workers, contractors, or students.
You want to provide joining capabilities to workers in remote branch offices with limited on-premises
infrastructure.
You can configure Azure AD joined devices for all Windows 10 devices with the exception of Windows 10 Home.
The goal of Azure AD joined devices is to simplify:
Windows deployments of work-owned devices
Access to organizational apps and resources from any Windows device
Cloud-based management of work-owned devices
Users to sign in to their devices with their Azure AD or synced Active Directory work or school accounts.
Azure AD Join can be deployed by using any of the following methods:
Windows Autopilot
Bulk deployment
Self-service experience
Next steps
Plan your Azure AD join implementation
How to manage the local administrators group on Azure AD joined devices
Manage device identities using the Azure portal
Manage stale devices in Azure AD
Hybrid Azure AD joined devices
9/7/2020 • 2 minutes to read • Edit Online
For more than a decade, many organizations have used the domain join to their on-premises Active Directory to
enable:
IT departments to manage work-owned devices from a central location.
Users to sign in to their devices with their Active Directory work or school accounts.
Typically, organizations with an on-premises footprint rely on imaging methods to provision devices, and they
often use Configuration Manager or group policy (GP) to manage them.
If your environment has an on-premises AD footprint and you also want benefit from the capabilities provided by
Azure Active Directory, you can implement hybrid Azure AD joined devices. These devices, are devices that are
joined to your on-premises Active Directory and registered with your Azure Active Directory.
Password
Scenarios
Use Azure AD hybrid joined devices if:
You have Win32 apps deployed to these devices that rely on Active Directory machine authentication.
You want to continue to use Group Policy to manage device configuration.
You want to continue to use existing imaging solutions to deploy and configure devices.
You must support down-level Windows 7 and 8.1 devices in addition to Windows 10
Next steps
Plan your hybrid Azure AD join implementation
Manage device identities using the Azure portal
Manage stale devices in Azure AD
How SSO to on-premises resources works on Azure
AD joined devices
9/7/2020 • 3 minutes to read • Edit Online
It is probably not a surprise that an Azure Active Directory (Azure AD) joined device gives you a single sign-on
(SSO) experience to your tenant's cloud apps. If your environment has an on-premises Active Directory (AD), you
can extend the SSO experience on these devices to resources and applications that rely on on-premises AD as well.
This article explains how this works.
Prerequisites
If Azure AD joined machines are not connected to your organization's network, a VPN or other network
infrastructure is required. On-premises SSO requires line-of-sight communication with your on-premises AD DS
domain controllers.
How it works
With an Azure AD joined device, your users already have an SSO experience to the cloud apps in your
environment. If your environment has an Azure AD and an on-premises AD, you may want to expand the scope of
your SSO experience to your on-premises Line Of Business (LOB) apps, file shares, and printers.
Azure AD joined devices have no knowledge about your on-premises AD environment because they aren't joined
to it. However, you can provide additional information about your on-premises AD to these devices with Azure AD
Connect.
An environment that has both, an Azure AD and an on-premises AD, is also known has hybrid environment. If you
have a hybrid environment, it is likely that you already have Azure AD Connect deployed to synchronize your on-
premises identity information to the cloud. As part of the synchronization process, Azure AD Connect synchronizes
on-premises user information to Azure AD. When a user signs in to an Azure AD joined device in a hybrid
environment:
1. Azure AD sends the details of the user's on-premises domain back to the device, along with the Primary Refresh
Token
2. The local security authority (LSA) service enables Kerberos and NTLM authentication on the device.
During an access attempt to a resource requesting Kerberos or NTLM in the user's on-premises environment, the
device:
1. Sends the on-premises domain information and user credentials to the located DC to get the user
authenticated.
2. Receives a Kerberos Ticket-Granting Ticket (TGT) or NTLM token based on the protocol the on-premises
resource or application supports. If the attempt to get the Kerberos TGT or NTLM token for the domain fails
(related DCLocator timeout can cause a delay), Credential Manager entries are attempted, or the user may
receive an authentication popup requesting credentials for the target resource.
All apps that are configured for Windows-Integrated authentication seamlessly get SSO when a user tries to
access them.
Windows Hello for Business requires additional configuration to enable on-premises SSO from an Azure AD joined
device. For more information, see Configure Azure AD joined devices for On-premises Single-Sign On using
Windows Hello for Business.
Next steps
For more information, see What is device management in Azure Active Directory?
What is a Primary Refresh Token?
9/7/2020 • 21 minutes to read • Edit Online
A Primary Refresh Token (PRT) is a key artifact of Azure AD authentication on Windows 10, iOS, and Android
devices. It is a JSON Web Token (JWT) specially issued to Microsoft first party token brokers to enable single sign-
on (SSO) across the applications used on those devices. In this article, we will provide details on how a PRT is
issued, used, and protected on Windows 10 devices.
This article assumes that you already understand the different device states available in Azure AD and how single
sign-on works in Windows 10. For more information about devices in Azure AD, see the article What is device
management in Azure Active Directory?
NOTE
3rd party identity providers need to support the WS-Trust protocol to enable PRT issuance on Windows 10 devices. Without
WS-Trust, PRT cannot be issued to users on Hybrid Azure AD joined or Azure AD joined devices. On ADFS only
usernamemixed endpoints are required. Both adfs/services/trust/2005/windowstransport and
adfs/services/trust/13/windowstransport should be enabled as intranet facing endpoints only and must NOT be exposed
as extranet facing endpoints through the Web Application Proxy
Detailed flows
The following diagrams illustrate the underlying details in issuing, renewing, and using a PRT to request an access
token for an application. In addition, these steps also describe how the aforementioned security mechanisms are
applied during these interactions.
PRT issuance during first sign in
NOTE
In Azure AD joined devices, this exchange happens synchronously to issue a PRT before the user can logon to Windows. In
hybrid Azure AD joined devices, on-premises Active Directory is the primary authority. So, the user is only waiting until they
can acquire a TGT to login, while the PRT issuance happens asynchronously. This scenario does not apply to Azure AD
registered devices as logon does not use Azure AD credentials.
ST EP DESC RIP T IO N
C If the user is managed, CloudAP will get the nonce from Azure
AD. If the user is federated, CloudAP plugin requests a SAML
token from the federation provider with the user’s credentials.
Once it receives, the SAML token, it requests a nonce from
Azure AD.
NOTE
A PRT can be renewed externally without the need of a VPN connection when usernamemixed endpoints are enabled
externally.
ST EP DESC RIP T IO N
ST EP DESC RIP T IO N
C The native client host validates that the URLs belong to the
Microsoft identity providers (Microsoft account or Azure AD),
extracts a nonce sent from the URL and makes a call to
CloudAP plugin to get a PRT cookie.
D The CloudAP plugin will create the PRT cookie, sign in with the
TPM-bound session key and send it back to the native client
host. As the cookie is signed by the session key, it cannot be
tampered with.
E The native client host will return this PRT cookie to the
browser, which will include it as part of the request header
called x-ms-RefreshTokenCredential and request tokens from
Azure AD.
Next steps
For more information on troubleshooting PRT-related issues, see the article Troubleshooting hybrid Azure Active
Directory joined Windows 10 and Windows Server 2016 devices.
Understand secure, Azure-managed workstations
3/6/2020 • 8 minutes to read • Edit Online
Secured, isolated workstations are critically important for the security of sensitive roles like administrators,
developers, and critical service operators. If client workstation security is compromised, many security controls and
assurances can fail or be ineffective.
This document explains what you need for building a secure workstation, often known as a privileged access
workstation (PAW). The article also contains detailed instructions to set up initial security controls. This guidance
describes how cloud-based technology can manage the service. It relies on security capabilities that were
introduced in Windows 10RS5, Microsoft Defender Advanced Threat Protection (ATP), Azure Active Directory, and
Microsoft Intune.
NOTE
This article explains the concept of a secure workstation and its importance. If you are already familiar with the concept and
would like to skip to deployment, visit Deploy a Secure Workstation.
This document describes a solution that can help protect your computing devices from such lateral attacks. The
solution isolates management and services from less valuable productivity devices, breaking the chain before the
device that has access to sensitive cloud resources can be infiltrated. The solution uses native Azure services that
are part of the Microsoft 365 Enterprise stack:
Intune for device management and a safe list of applications and URLs
Autopilot for device setup, deployment, and refresh
Azure AD for user management, Conditional Access, and multi-factor authentication
Windows 10 (current version) for device health attestation and user experience
Defender ATP for cloud-managed endpoint protection, detection, and response
Azure AD PIM for managing authorization and just-in-time (JIT) privileged access to resources
Log Analytics, and Sentinel for monitoring and alerting
NOTE
Web browsing here refers to general access to arbitrary websites which can be a high risk activity. Such browsing is distinctly
different from using a web browser to access a small number of well-known administrative websites for services like Azure,
Office 365, other cloud providers, and SaaS applications.
Containment strategies tighten security by increasing the number and type of controls that deter an attacker from
gaining access sensitive assets. The model described in this article uses a tiered privilege design and restricts
administrative privileges to specific devices.
Supply chain management
Essential to a secured workstation is a supply chain solution where you use a trusted workstation called the 'root of
trust'. Technology that must be considered in the selection of the root of trust hardware should include the
following technologies included in modern laptops:
Trusted Platform Module (TPM) 2.0
BitLocker Drive Encryption
UEFI Secure Boot
Drivers and Firmware Distributed through Windows Update
Virtualization and HVCI Enabled
Drivers and Apps HVCI-Ready
Windows Hello
DMA I/O Protection
System Guard
Modern Standby
For this solution, root of trust will be deployed using Microsoft Autopilot technology with hardware that meets the
modern technical requirements. To secure a workstation, Autopilot lets you leverage Microsoft OEM-optimized
Windows 10 devices. These devices come in a known good state from the manufacturer. Instead of reimaging a
potentially insecure device, Autopilot can transform a Windows device into a “business-ready” state. It applies
settings and policies, installs apps, and even changes the edition of Windows 10. For example, Autopilot might
change a device's Windows installation from Windows 10 Pro to Windows 10 Enterprise so that it can use
advanced features.
Device roles and profiles
This guidance references several security profiles and roles that can help you create more secure solutions for
users, developers, and IT personnel. These profiles balance usability and risks for common users that can benefit
from an enhanced or secure workstation. The settings configurations provided here are based on industry accepted
standards. This guidance shows how to harden Windows 10 and reduce the risks associated with device or user
compromise. To take advantage of the modern hardware technology and root of trust device, we will use Device
Health Attestation, which is enabled starting at the High Security profile. This capability is present to ensure the
attackers cannot be persistent during the early boot of a device. It does so by using policy and technology to help
manage security features and risks.
Basic Security – A managed, standard workstation provides a good starting point for most home and
small business use. These devices are registered in Azure AD and managed with Intune. This profile permits
users to run any applications and browse any website. An anti-malware solution like Microsoft Defender
should be enabled.
Enhanced Security – This entry-level, protected solution is good for home users, small business users, and
general developers.
The enhanced workstation is a policy-based way to increase the security of the low security profile. It
provides a secure means to work with customer data while also using productivity tools like email and web
browsing. You can use audit policies and Intune to monitor an enhanced workstation for user behavior and
profile usage. You deploy the enhanced workstation profile with the Windows10 (1809) script, and it takes
advantage of advanced malware protection using Advanced Threat Protection (ATP).
High Security – The most effective means to reduce the attack surface of a workstation is to remove the
ability to self-administer the workstation. Removing local administrative rights is a step that improves
security, but it can impact productivity if implemented incorrectly. The high security profile builds on the
enhanced security profile with one considerable change: the removal of the local admin. This profile is
designed for high profile users: executives, payroll and sensitive data users, approvers for services and
processes.
The high security user demands a more controlled environment while still being able to do activities such as
email and web browsing in a simple-to-use experience. The users expect features such as cookies, favorites,
and other shortcuts to work. However, these users may not require the ability to modify or debug their
device. They also don't need to install drivers. The high security profile is deployed using the High Security -
Windows10 (1809) script.
Specialized – Attackers target developers and IT administrators because they can alter systems of interest
to the attackers. The specialized workstation expands on the policies of the high security workstation by
managing local applications and limiting websites. It also restricts high-risk productivity capabilities such as
ActiveX, Java, browser plugins, and other Windows controls. You deploy this profile with the
DeviceConfiguration_NCSC - Windows10 (1803) SecurityBaseline script.
Secured – An attacker who compromises an administrative account can cause significant business damage
by data theft, data alteration, or service disruption. In this hardened state, the workstation enables all the
security controls and policies that restrict direct control of local application management. A secured
workstation has no productivity tools so the device more difficult to compromise. It blocks the most
common vector for phishing attacks: email and social media. The secured workstation can be deployed with
the Secure Workstation - Windows10 (1809) SecurityBaseline script.
A secure workstation provides an administrator with a hardened workstation that has clear application
control and application guard. The workstation uses credential guard, device guard, and exploit guard to
protect the host from malicious behavior. All local disks are also encrypted with BitLocker.
Isolated – This custom, offline scenario represents the extreme end of the spectrum. No installation scripts
are provided for this case. You might need to manage a business-critical function that requires an
unsupported or unpatched legacy operating system. For example, a high value production line or a life-
support system. Because security is critical and cloud services are unavailable, you can manage and update
these computers manually or with an isolated Active Directory forest architecture such as the Enhanced
Security Admin Environment (ESAE). In these circumstances, consider removing all access except basic
Intune and ATP health checks.
Intune network communications requirement
ATP network communications requirement
Next steps
Deploy a secure Azure-managed workstation.
Plan your Azure Active Directory device deployment
9/7/2020 • 9 minutes to read • Edit Online
This article helps you evaluate the methods to integrate your device with Azure AD, choose the implementation
plan, and provides key links to supported device management tools.
The landscape of devices from which your users sign in is expanding. Organizations may provide desktops, laptops,
phones, tablets, and other devices. Your users may bring their own array of devices, and access information from
varied locations. In this environment, your job as an administrator is to keep your organizational resources secure
across all devices.
Azure Active Directory (Azure AD) enables your organization to meet these goals with device identity management.
You can now get your devices in Azure AD and control them from a central location in the Azure portal. This gives
you a unified experience, enhanced security, and reduces the time needed to configure a new device.
There are multiple methods to integrate your devices into Azure AD:
You can register devices with Azure AD
Join devices to Azure AD (cloud-only) or
Create a hybrid Azure AD join in between devices in your on-premises Active Directory and Azure AD.
Learn
Before you begin, make sure that you're familiar with the device identity management overview.
Benefits
The key benefits of giving your devices an Azure AD identity:
Increase productivity – With Azure AD, your users can do seamless sign-on (SSO) to your on-premises and
cloud resources, which enables them to be productive wherever they are.
Increase security – Azure AD devices enable you to apply Conditional Access (CA) policies to resources based
on the identity of the device or user. CA policies can offer extra protection using Azure AD Identity Protection.
Joining a device to Azure AD is a prerequisite for increasing your security with a Passwordless
Authentication strategy.
Improve user experience – With device identities in Azure AD, you can provide your users with easy access to
your organization’s cloud-based resources from both personal and corporate devices. Administrators can
enable Enterprise State Roaming for a unified experience across all Windows devices.
Simplify deployment and management – Device identity management simplifies the process of bringing
devices to Azure AD with Windows Autopilot, bulk provisioning, and self-service: Out of Box Experience
(OOBE). You can manage these devices with Mobile Device Management (MDM) tools like Microsoft Intune,
and their identities in Azure portal.
Training resources
Video: Conditional access with device controls
FAQs: Azure AD device management FAQ and Settings and data roaming FAQ
RO L E DESC RIP T IO N
Device administrator A representative from the device team that can verify that the
plan will meet the device requirements of your organization.
Network administrator A representative from the network team that can make sure
to meet network requirements.
OS-specific admin teams Teams that support and manage specific OS versions. For
example, there may be a Mac or iOS focused team.
Plan communications
Communication is critical to the success of any new service. Proactively communicate with your users how their
experience will change, when it will change, and how to gain support if they experience issues.
Plan a pilot
We recommend that the initial configuration of your integration method is in a test environment, or with a small
group of test devices. See Best practices for a pilot.
Hybrid Azure AD join deployment is straightforward, and it's 100% an administrator’s task without end user action
necessary. You may want to do a controlled validation of hybrid Azure AD join before enabling it across the entire
organization all at once.
NOTE
Personal or bring-your-own device (BYOD) scenarios are not pictured in this diagram. They always result in Azure AD
registration.
Comparison matrix
iOS and Android devices may only be Azure AD registered. The following table presents high-level considerations
for Windows client devices. Use it as an overview, then explore the different integration methods in detail.
Windows 10 devices
Sign in options
Password
Device PIN
Windows Hello
Key capabilities
SSO to on-premises
resources
Conditional Access
(Require devices be marked
as compliant)
(Must be managed by
MDM)
Conditional Access
(Require hybrid Azure AD
joined devices)
Azure AD Registration
Registered devices are often managed with Microsoft Intune. Devices are enrolled in Intune in a number of ways,
depending on the operating system.
Azure AD registered devices provide support for Bring Your Own Devices (BYOD) and corporate owned devices to
SSO to cloud resources. Access to resources is based on the Azure AD CA policies applied to the device and the
user.
Registering devices
Registered devices are often managed with Microsoft Intune. Devices are enrolled in Intune in a number of ways,
depending on the operating system.
BYOD and corporate owned mobile device are registered by users installing the Company portal app.
iOS
Android
Windows 10
If registering your devices is the best option for your organization, see the following resources:
This overview of Azure AD registered devices.
This end-user documentation on Register your personal device on your organization’s network.
Azure AD join
Azure AD join enables you to transition towards a cloud-first model with Windows. It provides a great foundation if
you're planning to modernize your device management and reduce device-related IT costs. Azure AD join works
with Windows 10 devices only. Consider it as the first choice for new devices.
However, Azure AD joined devices can SSO to on-premises resources when they are on the organization's network,
can authenticate to on-premises servers like file, print, and other applications.
If this is the best option for your organization, see the following resources:
This overview of Azure AD joined devices.
Familiarize yourself with the Azure AD Join implementation plan.
Provisioning Azure AD Join to your devices
To provision Azure AD Join, you have the following approaches:
Self-Service: Windows 10 first-run experience
If you have either Windows 10 Professional or Windows 10 Enterprise installed on a device, the experience defaults
to the setup process for company-owned devices.
Windows Out of Box Experience (OOBE) or from Windows Settings
Windows Autopilot
Bulk Enrollment
Choose your deployment procedure after careful comparison of these approaches.
You may determine that Azure AD Join is the best solution for a device, and that device may already be in a
different states. Here are the upgrade considerations.
On-premises domain joined Azure AD Join Unjoin the device from on-premises
domain before joining to Azure AD
Hybrid Azure AD Join Azure AD Join Unjoin the device from on-premises
domain and from Azure AD before
joining to Azure AD
NOTE
The on-premises domain-joined Windows 10 device attempts to auto-join to Azure AD to become Hybrid Azure AD joined
by default. This will only succeed if you haves set up the right environment.
You may determine that Hybrid Azure AD Join is the best solution for a device, and that device may already be in a
different state. Here are the upgrade considerations.
On-premises domain join Hybrid Azure AD Join Use Azure AD connect or AD FS to join
to Azure
On-premises workgroup joined or new Hybrid Azure AD Join Supported with Windows Autopilot.
Otherwise device needs to be on-
premises domain joined before Hybrid
Azure AD Join
Azure AD joined Hybrid Azure AD Join Unjoin from Azure AD, which puts it in
the on-premises workgroup or new
state.
Mobile Device
Management (MDM)
Example: Microsoft
Intune
Co management with
Microsoft Intune and
Microsoft Endpoint
Configuration
Manager
(Windows 10 and
later)
Group policy
(Windows only)
We recommend that you consider Microsoft Intune Mobile Application management (MAM) with or without device
management for registered iOS or Android devices.
Administrators can also deploy virtual desktop infrastructure (VDI) platforms hosting Windows operating systems
in their organizations to streamline management and reduce costs through consolidation and centralization of
resources.
Troubleshoot device identities
Troubleshooting devices using the dsregcmd command
Troubleshooting Enterprise State Roaming settings in Azure Active Directory
If you experience issues with completing hybrid Azure AD join for domain-joined Windows devices, see:
Troubleshoot hybrid Azure AD join for Windows current devices
Troubleshoot hybrid Azure AD join for Windows down level devices
Next steps
Plan your Azure AD Join implementation
Plan your hybrid Azure AD Join implementation
Manage device identities
How to: Plan your Azure AD join implementation
9/7/2020 • 10 minutes to read • Edit Online
Azure AD join allows you to join devices directly to Azure AD without the need to join to on-premises Active
Directory while keeping your users productive and secure. Azure AD join is enterprise-ready for both at-scale and
scoped deployments.
This article provides you with the information you need to plan your Azure AD join implementation.
Prerequisites
This article assumes that you are familiar with the Introduction to device management in Azure Active Directory.
If your identity provider does not support these protocols, Azure AD join does not work natively.
NOTE
Currently, Azure AD join does not work with AD FS 2019 configured with external authentication providers as the primary
authentication method. Azure AD join defaults to password authentication as the primary method, which results in
authentication failures in this scenario
NOTE
Group policies are not supported in Azure AD joined devices as they are not connected to on-premises Active Directory.
Management of Azure AD joined devices is only possible through MDM
There are two approaches for managing Azure AD joined devices:
MDM-only - A device is exclusively managed by an MDM provider like Intune. All policies are delivered as part
of the MDM enrollment process. For Azure AD Premium or EMS customers, MDM enrollment is an automated
step that is part of an Azure AD join.
Co-management - A device is managed by an MDM provider and SCCM. In this approach, the SCCM agent is
installed on an MDM-managed device to administer certain aspects.
If you are using group policies, evaluate your MDM policy parity by using the MDM Migration Analysis Tool
(MMAT).
Review supported and unsupported policies to determine whether you can use an MDM solution instead of Group
policies. For unsupported policies, consider the following:
Are the unsupported policies necessary for Azure AD joined devices or users?
Are the unsupported policies applicable in a cloud driven deployment?
If your MDM solution is not available through the Azure AD app gallery, you can add it following the process
outlined in Azure Active Directory integration with MDM.
Through co-management, you can use SCCM to manage certain aspects of your devices while policies are
delivered through your MDM platform. Microsoft Intune enables co-management with SCCM. For more
information on co-management for Windows 10 devices, see What is co-management?. If you use an MDM
product other than Intune, please check with your MDM provider on applicable co-management scenarios.
Recommendation: Consider MDM only management for Azure AD joined devices.
Choose your deployment approach or approaches by reviewing the table above and reviewing the following
considerations for adopting either approach:
Are your users tech savvy to go through the setup themselves?
Self-service can work best for these users. Consider Windows Autopilot to enhance the user experience.
Are your users remote or within corporate premises?
Self-service or Autopilot work best for remote users for a hassle-free setup.
Do you prefer a user driven or an admin-managed configuration?
Bulk enrollment works better for admin driven deployment to set up devices before handing over to
users.
Do you purchase devices from 1-2 OEMS, or do you have a wide distribution of OEM devices?
If purchasing from limited OEMs who also support Autopilot, you can benefit from tighter integration
with Autopilot.
Each URL has a predefined default value. If these fields are empty, please contact your MDM provider for more
information.
MAM settings
MAM does not apply to Azure AD join.
Configure enterprise state roaming
If you want to enable state roaming to Azure AD so that users can sync their settings across devices, see Enable
Enterprise State Roaming in Azure Active Directory.
Recommendation : Enable this setting even for hybrid Azure AD joined devices.
You can use this implementation to require managed devices for cloud app access with Conditional Access.
Next steps
Join a new Windows 10 device with Azure AD during a first run Join your work device to your organization's
network
How to manage the local administrators group on
Azure AD joined devices
9/7/2020 • 5 minutes to read • Edit Online
To manage a Windows device, you need to be a member of the local administrators group. As part of the Azure
Active Directory (Azure AD) join process, Azure AD updates the membership of this group on a device. You can
customize the membership update to satisfy your business requirements. A membership update is, for example,
helpful if you want to enable your helpdesk staff to do tasks requiring administrator rights on a device.
This article explains how the local administrators membership update works and how you can customize it during
an Azure AD Join. The content of this article doesn't apply to a hybrid Azure AD joined devices.
How it works
When you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the following security
principals to the local administrators group on the device:
The Azure AD global administrator role
The Azure AD device administrator role
The user performing the Azure AD join
By adding Azure AD roles to the local administrators group, you can update the users that can manage a device
anytime in Azure AD without modifying anything on the device. Currently, you cannot assign groups to an
administrator role. Azure AD also adds the Azure AD device administrator role to the local administrators group to
support the principle of least privilege (PoLP). In addition to the global administrators, you can also enable users
that have been only assigned the device administrator role to manage a device.
Device administrators are assigned to all Azure AD joined devices. You cannot scope device administrators to a
specific set of devices. Updating the device administrator role doesn't necessarily have an immediate impact on the
affected users. On devices where a user is already signed into, the privilege elevation takes place when both the
below actions happen:
Upto 4 hours have passed for Azure AD to issue a new Primary Refresh Token with the appropriate privileges.
User signs out and signs back in, not lock/unlock, to refresh their profile.
NOTE
The above actions are not applicable to users who have not signed in to the relevant device previously. In this case, the
administrator privileges are applied immediately after their first sign-in to the device.
Starting with Windows 10 2004 update, you can use Azure AD groups to manage administrator privileges on
Azure AD joined devices with the Restricted Groups MDM policy. This policy allows you to assign individual users
or Azure AD groups to the local administrators group on an Azure AD joined device, providing you the granularity
to configure distinct administrators for different groups of devices.
Currently, there's no UI in Intune to manage this policy and needs to be configured using Custom OMA-URI
Settings. A few considerations for this policy:
Adding Azure AD groups through the policy requires the group's SID that can be obtained by executing the
Groups API. The SID is defined by the property securityIdentifier in the Groups API.
When Restricted Groups policy is enforced, any current member of the group that is not on the Members list is
removed. So enforcing this policy with new members or groups will remove the existing administrators namely
user who joined the device, the Device administrator role and Global administrator role from the device. To
avoid removing existing members, you need to configure them as part of the Members list in the Restricted
Groups policy.
This policy is only applicable to the following well-known groups on a Windows 10 device - Administrators,
Users, Guests, Power Users, Remote Desktop Users and Remote Management Users.
Managing local administrators using Restricted Groups policy is not applicable to Hybrid Azure AD joined or
Azure AD Registered devices.
While the Restricted Groups policy existed prior to Windows 10 2004 update, it did not support Azure AD
groups as members of a device's local administrators group.
Manage regular users
By default, Azure AD adds the user performing the Azure AD join to the administrator group on the device. If you
want to prevent regular users from becoming local administrators, you have the following options:
Windows Autopilot - Windows Autopilot provides you with an option to prevent primary user performing the
join from becoming a local administrator. You can accomplish this by creating an Autopilot profile.
Bulk enrollment - An Azure AD join that is performed in the context of a bulk enrollment happens in the context
of an auto-created user. Users signing in after a device has been joined are not added to the administrators
group.
Considerations
You cannot assign groups to the device administrator role, only individual users are allowed.
Device administrators are assigned to all Azure AD Joined devices. They can't be scoped to a specific set of devices.
When you remove users from the device administrator role, they still have the local administrator privilege on a
device as long as they are signed in to it. The privilege is revoked during their next sign-in when a new primary
refresh token is issued. This revocation, similar to the privilege elevation, could take upto 4 hours.
Next steps
To get an overview of how to manage device in the Azure portal, see managing devices using the Azure portal
To learn more about device-based Conditional Access, see configure Azure Active Directory device-based
Conditional Access policies.
How To: Plan your hybrid Azure Active Directory
join implementation
9/7/2020 • 8 minutes to read • Edit Online
In a similar way to a user, a device is another core identity you want to protect and use it to protect your
resources at any time and from any location. You can accomplish this goal by bringing and managing device
identities in Azure AD using one of the following methods:
Azure AD join
Hybrid Azure AD join
Azure AD registration
By bringing your devices to Azure AD, you maximize your users' productivity through single sign-on (SSO)
across your cloud and on-premises resources. At the same time, you can secure access to your cloud and on-
premises resources with Conditional Access.
If you have an on-premises Active Directory (AD) environment and you want to join your AD domain-joined
computers to Azure AD, you can accomplish this by doing hybrid Azure AD join. This article provides you with
the related steps to implement a hybrid Azure AD join in your environment.
Prerequisites
This article assumes that you are familiar with the Introduction to device identity management in Azure Active
Directory.
NOTE
The minimum required domain controller version for Windows 10 hybrid Azure AD join is Windows Server 2008 R2.
NOTE
Even though Windows 10 automatically removes the Azure AD registered state locally, the device object in Azure AD is
not immediately deleted if it is managed by Intune. You can validate the removal of Azure AD registered state by running
dsregcmd /status and consider the device not to be Azure AD registered based on that.
Additional considerations
If your environment uses virtual desktop infrastructure (VDI), see Device identity and desktop
virtualization.
Hybrid Azure AD join is supported for FIPS-compliant TPM 2.0 and not supported for TPM 1.2. If your
devices have FIPS-compliant TPM 1.2, you must disable them before proceeding with Hybrid Azure AD
join. Microsoft does not provide any tools for disabling FIPS mode for TPMs as it is dependent on the
TPM manufacturer. Please contact your hardware OEM for support.
Starting from Windows 10 1903 release, TPMs 1.2 are not used with hybrid Azure AD join and devices
with those TPMs will be considered as if they don't have a TPM.
NOTE
Cloud authentication using Staged rollout is only supported starting Windows 10 1903 update
Federated environment
A federated environment should have an identity provider that supports the following requirements. If you have
a federated environment using Active Directory Federation Services (AD FS), then the below requirements are
already supported.
WIAORMULTIAUTHN claim: This claim is required to do hybrid Azure AD join for Windows down-level
devices.
WS-Trust protocol: This protocol is required to authenticate Windows current hybrid Azure AD joined
devices with Azure AD. When you're using AD FS, you need to enable the following WS-Trust endpoints:
/adfs/services/trust/2005/windowstransport
/adfs/services/trust/13/windowstransport
/adfs/services/trust/2005/usernamemixed /adfs/services/trust/13/usernamemixed
/adfs/services/trust/2005/certificatemixed /adfs/services/trust/13/certificatemixed
WARNING
Both adfs/ser vices/trust/2005/windowstranspor t or adfs/ser vices/trust/13/windowstranspor t should be
enabled as intranet facing endpoints only and must NOT be exposed as extranet facing endpoints through the Web
Application Proxy. To learn more on how to disable WS-Trust Windows endpoints, see Disable WS-Trust Windows
endpoints on the proxy. You can see what endpoints are enabled through the AD FS management console under Ser vice
> Endpoints .
NOTE
Azure AD does not support smartcards or certificates in managed domains.
Beginning with version 1.1.819.0, Azure AD Connect provides you with a wizard to configure hybrid Azure AD
join. The wizard enables you to significantly simplify the configuration process. If installing the required version
of Azure AD Connect is not an option for you, see how to manually configure device registration.
Based on the scenario that matches your identity infrastructure, see:
Configure hybrid Azure Active Directory join for federated environment
Configure hybrid Azure Active Directory join for managed environment
NOTE
The information in this section applies only to an on-premises users UPN. It isn't applicable to an on-premises computer
domain suffix (example: computer1.contoso.local).
The table below provides details on support for these on-premises AD UPNs in Windows 10 Hybrid Azure AD
join
T Y P E O F O N - P REM ISES A D
UP N DO M A IN T Y P E W IN DO W S 10 VERSIO N DESC RIP T IO N
Next steps
Configure hybrid Azure Active Directory join for federated environment Configure hybrid Azure Active
Directory join for managed environment
Controlled validation of hybrid Azure AD join
9/7/2020 • 4 minutes to read • Edit Online
When all of the pre-requisites are in place, Windows devices will automatically register as devices in your Azure
AD tenant. The state of these device identities in Azure AD is referred as hybrid Azure AD join. More information
about the concepts covered in this article can be found in the articles Introduction to device management in Azure
Active Directory and Plan your hybrid Azure Active Directory join implementation.
Organizations may want to do a controlled validation of hybrid Azure AD join before enabling it across their entire
organization all at once. This article will explain how to accomplish a controlled validation of hybrid Azure AD join.
NOTE
If you failed to configure client-side SCP on your AD FS servers, the source for device identities would be considered as on-
premises. ADFS will then start deleting device objects from on-premises directory after the stipulated period defined in the
ADFS Device Registration's attribute "MaximumInactiveDays". ADFS Device Registration objects can be found using the Get-
AdfsDeviceRegistration cmdlet.
NOTE
If a SCP is not configured in AD, then you should follow the same approach as described to Configure client-side registry
setting for SCP) on your domain-joined computers using a Group Policy Object (GPO).
After you verify that everything works as expected, you can automatically register the rest of your Windows
current and down-level devices with Azure AD by configuring SCP using Azure AD Connect.
Next steps
Plan your hybrid Azure Active Directory join implementation
Manage device identities using the Azure portal
9/7/2020 • 7 minutes to read • Edit Online
Manage devices
There are two locations to manage devices in Azure AD:
Azure por tal > Azure Active Director y > Devices
Azure por tal > Azure Active Director y > Users > Select a user > Devices
Both options allow administrators the ability to:
Search for devices.
See device details including:
Device name
Device ID
OS and Version
Join type
Owner
Mobile device management and compliance
BitLocker recovery key
Perform device identity management tasks like, enable, disable, delete, or manage.
Printers and Windows Autopilot devices have limited management options in Azure AD. They must be
managed from their respective admin interfaces.
TIP
Hybrid Azure AD Joined Windows 10 devices do not have an owner. If you are looking for a device by owner and
didn't find it, search by the device ID.
If you see a device that is "Hybrid Azure AD joined" with a state "Pending" under the REGISTERED column, it
indicates that the device has been synchronized from Azure AD connect and is waiting to complete registration
from the client. Read more on how to plan your Hybrid Azure AD join implementation. Additional information can
be found in the article, Devices frequently asked questions.
For some iOS devices, the device names containing apostrophes can potentially use different characters that look
like apostrophes. So searching for such devices is a little tricky - if you are not seeing search results correctly,
ensure that the search string contains matching apostrophe character.
IMPORTANT
You must be a global administrator or cloud device administrator in Azure AD to enable or disable a device.
Disabling a device prevents a device from successfully authenticating with Azure AD, thereby preventing the device
from accessing your Azure AD resources that are protected by device-based Conditional Access or using Windows
Hello for Business credentials.
Disabling a device will revoke both the Primary Refresh Token (PRT) and any Refresh Tokens (RT) on the device.
Printers cannot be enabled or disabled in Azure AD.
If a device is managed by another management authority (for example, Microsoft Intune), make sure that the
device has been wiped / retired before deleting the device in Azure AD. Review how to manage stale devices
before deleting any devices.
View or copy device ID
You can use a device ID to verify the device ID details on the device or using PowerShell during troubleshooting.
To access the copy option, click the device.
Users may join devices to Azure AD - This setting enables you to select the users who can register their
devices as Azure AD joined devices. The default is All .
NOTE
Users may join devices to Azure AD setting is only applicable to Azure AD join on Windows 10.
Additional local administrators on Azure AD joined devices - You can select the users that are
granted local administrator rights on a device. These users are added to the Device Administrators role in
Azure AD. Global administrators in Azure AD and device owners are granted local administrator rights by
default. This option is a premium edition capability available through products such as Azure AD Premium or
the Enterprise Mobility Suite (EMS).
Users may register their devices with Azure AD - You need to configure this setting to allow Windows
10 personal, iOS, Android, and macOS devices to be registered with Azure AD. If you select None , devices are
not allowed to register with Azure AD. Enrollment with Microsoft Intune or Mobile Device Management
(MDM) for Office 365 requires registration. If you have configured either of these services, ALL is selected
and NONE is not available.
Require Multi-Factor Auth to join devices - You can choose whether users are required to provide an
additional authentication factor to join their device to Azure AD. The default is No . We recommend requiring
multi-factor authentication when registering a device. Before you enable multi-factor authentication for this
service, you must ensure that multi-factor authentication is configured for the users that register their
devices. For more information on different Azure multi-factor authentication services, see getting started
with Azure multi-factor authentication.
NOTE
Require Multi-Factor Auth to join devices setting applies to devices that are either Azure AD joined or Azure AD
registered. This setting does not apply to hybrid Azure AD joined devices.
Maximum number of devices - This setting enables you to select the maximum number of Azure AD
joined or Azure AD registered devices that a user can have in Azure AD. If a user reaches this quota, they are
not be able to add additional devices until one or more of the existing devices are removed. The default value
is 50 .
NOTE
Maximum number of devices setting applies to devices that are either Azure AD joined or Azure AD registered. This
setting does not apply to hybrid Azure AD joined devices.
Audit logs
Device activities are available through the activity logs. These logs include activities triggered by the device
registration service and by users:
Device creation and adding owners / users on the device
Changes to device settings
Device operations such as deleting or updating a device
Your entry point to the auditing data is Audit logs in the Activity section of the Devices page.
The audit log has a default list view that shows:
The date and time of the occurrence
The targets
The initiator / actor (who) of an activity
The activity (what)
You can customize the list view by clicking Columns in the toolbar.
To narrow down the reported data to a level that works for you, you can filter the audit data using the following
fields:
Category
Activity resource type
Activity
Date range
Target
Initiated By (Actor)
In addition to the filters, you can search for specific entries.
Next steps
How to manage stale devices in Azure AD
Enterprise State Roaming
How To: Manage stale devices in Azure AD
9/7/2020 • 8 minutes to read • Edit Online
Ideally, to complete the lifecycle, registered devices should be unregistered when they are not needed anymore.
However, due to, for example, lost, stolen, broken devices, or OS reinstallations you typically have stale devices in
your environment. As an IT admin, you probably want a method to remove stale devices, so that you can focus
your resources on managing devices that actually require management.
In this article, you learn how to efficiently manage stale devices in your environment.
NOTE
Deleting devices in your on-premises AD or Azure AD does not remove registration on the client. It will only prevent
access to resources using device as an identity (e.g. Conditional Access). Read additional information on how to remove
registration on the client.
Deleting a Windows 10 device only in Azure AD will re-synchronize the device from your on-premises using Azure AD
connect but as a new object in "Pending" state. A re-registration is required on the device.
Removing the device from sync scope for Windows 10/Server 2016 devices will delete the Azure AD device. Adding it
back to sync scope will place a new object in "Pending" state. A re-registration of the device is required.
If you not using Azure AD Connect for Windows 10 devices to synchronize (e.g. ONLY using AD FS for registration), you
must manage lifecycle similar to Windows 7/8 devices.
NOTE
Deleting an Azure AD device does not remove registration on the client. It will only prevent access to resources using
device as an identity (e.g Conditional Access).
Read more on how to unjoin on Azure AD
NOTE
Deleting an Azure AD registered device in Azure AD does not remove registration on the client. It will only prevent
access to resources using device as an identity (e.g. Conditional Access).
Read more on how to remove a registration on the client
If you have a large number of devices in your directory, use the timestamp filter to narrow down the number of
returned devices. To get all devices with a timestamp older than specific date and store the returned data in a CSV
file:
$dt = [datetime]’2017/01/01’
Get-AzureADDevice | Where {$_.ApproximateLastLogonTimeStamp -le $dt} | select-object -Property Enabled,
DeviceId, DisplayName, DeviceTrustType, ApproximateLastLogonTimestamp | export-csv devicelist-olderthan-Jan-
1-2017-summary.csv
Enterprise State Roaming is available to any organization with an Azure AD Premium or Enterprise Mobility +
Security (EMS) license. For more information on how to get an Azure AD subscription, see the Azure AD product
page.
When you enable Enterprise State Roaming, your organization is automatically granted a free, limited-use license
for Azure Rights Management protection from Azure Information Protection. This free subscription is limited to
encrypting and decrypting enterprise settings and application data synced by Enterprise State Roaming. You must
have a paid subscription to use the full capabilities of the Azure Rights Management service.
NOTE
This article applies to the Microsoft Edge Legacy HTML-based browser launched with Windows 10 in July 2015. The article
does not apply to the new Microsoft Edge Chromium-based browser released on January 15, 2020. For more information
on the Sync behavior for the new Microsoft Edge, see the article Microsoft Edge Sync.
For a Windows 10 device to use the Enterprise State Roaming service, the device must authenticate using an Azure
AD identity. For devices that are joined to Azure AD, the user’s primary sign-in identity is their Azure AD identity, so
no additional configuration is required. For devices that use on-premises Active Directory, the IT admin must
Configure hybrid Azure Active Directory joined devices.
Data storage
Enterprise State Roaming data is hosted in one or more Azure regions that best align with the country/region
value set in the Azure Active Directory instance. Enterprise State Roaming data is partitioned based on three major
geographic regions: North America, EMEA, and APAC. Enterprise State Roaming data for the tenant is locally
located with the geographical region, and is not replicated across regions. For example:
An EMEA country/region such as France or Zambia One or more of the Azure regions within Europe
A North American country/region such as United States or One or more of the Azure regions within the US
Canada
An APAC country/region such as Australia or New Zealand One or more of the Azure regions within Asia
South American and Antarctica regions One or more Azure regions within the US
The country/region value is set as part of the Azure AD directory creation process and cannot be subsequently
modified. If you need more details on your data storage location, file a ticket with Azure support.
5. If there are devices syncing for this user, you see the devices as shown here.
Data retention
Data synced to the Microsoft cloud using Enterprise State Roaming is retained until it is manually deleted or until
the data in question is determined to be stale.
Explicit deletion
Explicit deletion is when an Azure admin deletes a user or a directory or otherwise requests explicitly that data is
to be deleted.
User deletion : When a user is deleted in Azure AD, the user account roaming data is deleted after 90 to 180
days.
Director y deletion : Deleting an entire directory in Azure AD is an immediate operation. All the settings data
associated with that directory is deleted after 90 to 180 days.
On request deletion : If the Azure AD admin wants to manually delete a specific user’s data or settings data,
the admin can file a ticket with Azure support.
Stale data deletion
Data that has not been accessed for one year (“the retention period”) will be treated as stale and may be deleted
from the Microsoft cloud. The retention period is subject to change but will not be less than 90 days. The stale data
may be a specific set of Windows/application settings or all settings for a user. For example:
If no devices access a particular settings collection (for example, an application is removed from the device, or a
settings group such as “Theme” is disabled for all of a user’s devices), then that collection becomes stale after
the retention period and may be deleted.
If a user has turned off settings sync on all their devices, then none of the settings data will be accessed, and all
the settings data for that user will become stale and may be deleted after the retention period.
If the Azure AD directory admin turns off Enterprise State Roaming for the entire directory, then all users in that
directory will stop syncing settings, and all settings data for all users will become stale and may be deleted after
the retention period.
Deleted data recovery
The data retention policy is not configurable. Once the data is permanently deleted, it is not recoverable. However,
The settings data is deleted only from the Microsoft cloud, not from the end-user device. If any device later
reconnects to the Enterprise State Roaming service, the settings are again synced and stored in the Microsoft
cloud.
Next steps
Enterprise State Roaming overview
Settings and data roaming FAQ
Group Policy and MDM settings for settings sync
Windows 10 roaming settings reference
Troubleshooting
Sign in to Windows virtual machine in Azure using
Azure Active Directory authentication (Preview)
9/7/2020 • 16 minutes to read • Edit Online
Organizations can now utilize Azure Active Directory (AD) authentication for their Azure virtual machines (VMs)
running Windows Ser ver 2019 Datacenter edition or Windows 10 1809 and later. Using Azure AD to
authenticate to VMs provides you with a way to centrally control and enforce policies. Tools like Azure role-based
access control (Azure RBAC) and Azure AD Conditional Access allow you to control who can access a VM. This
article shows you how to create and configure a Windows Server 2019 VM to use Azure AD authentication.
NOTE
Azure AD sign in for Azure Windows VMs is a public preview feature of Azure Active Directory. For more information about
previews, see Supplemental Terms of Use for Microsoft Azure Previews.
There are many benefits of using Azure AD authentication to log in to Windows VMs in Azure, including:
Utilize the same federated or managed Azure AD credentials you normally use.
No longer have to manage local administrator accounts.
Azure RBAC allows you to grant the appropriate access to VMs based on need and remove it when it is no
longer needed.
Before allowing access to a VM, Azure AD Conditional Access can enforce additional requirements such as:
Multi-factor authentication
Sign-in risk check
Automate and scale Azure AD join of Azure Windows VMs that are part for your VDI deployments.
NOTE
Once you enable this capability, your Windows VMs in Azure will be Azure AD joined. You cannot join it to other domain like
on-premises AD or Azure AD DS. If you need to do so, you will need to disconnect the VM from your Azure AD tenant by
uninstalling the extension.
Requirements
Supported Azure regions and Windows distributions
The following Windows distributions are currently supported during the preview of this feature:
Windows Server 2019 Datacenter
Windows 10 1809 and later
IMPORTANT
Remote connection to VMs joined to Azure AD is only allowed from Windows 10 PCs that are Azure AD joined or hybrid
Azure AD joined to the same directory as the VM.
The following Azure regions are currently supported during the preview of this feature:
All Azure global regions
IMPORTANT
To use this preview feature, only deploy a supported Windows distribution and in a supported Azure region. The feature is
currently not supported in Azure Government or sovereign clouds.
Network requirements
To enable Azure AD authentication for your Windows VMs in Azure, you need to ensure your VMs network
configuration permits outbound access to the following endpoints over TCP port 443:
https://enterpriseregistration.windows.net
https://login.microsoftonline.com
https://device.login.microsoftonline.com
https://pas.windows.net
az vm create \
--resource-group myResourceGroup \
--name myVM \
--image Win2019Datacenter \
--assign-identity \
--admin-username azureuser \
--admin-password yourpassword
NOTE
It is required that you enable System assigned managed identity on your virtual machine before you install the Azure AD
login VM extension.
NOTE
You can install AADLoginForWindows extension on an existing Windows Server 2019 or Windows 10 1809 and later VM to
enable it for Azure AD authentication. An example of AZ CLI is shown below.
az vm extension set \
--publisher Microsoft.Azure.ActiveDirectory \
--name AADLoginForWindows \
--resource-group myResourceGroup \
--vm-name myVM
The provisioningState of Succeeded is shown, once the extension is installed on the VM.
NOTE
To allow a user to log in to the VM over RDP, you must assign either the Virtual Machine Administrator Login or Virtual
Machine User Login role. An Azure user with the Owner or Contributor roles assigned for a VM do not automatically have
privileges to log in to the VM over RDP. This is to provide audited separation between the set of people who control virtual
machines versus the set of people who can access virtual machines.
There are multiple ways you can configure role assignments for VM:
Using the Azure AD Portal experience
Using the Azure Cloud Shell experience
Using Azure AD Portal experience
To configure role assignments for your Azure AD enabled Windows Server 2019 Datacenter VMs:
1. Navigate to the specific virtual machine overview page
2. Select Access control (IAM) from the menu options
3. Select Add , Add role assignment to open the Add role assignment pane.
4. In the Role drop-down list, select a role such as Vir tual Machine Administrator Login or Vir tual Machine
User Login .
5. In the Select field, select a user, group, service principal, or managed identity. If you don't see the security
principal in the list, you can type in the Select box to search the directory for display names, email addresses,
and object identifiers.
6. Select Save , to assign the role.
After a few moments, the security principal is assigned the role at the selected scope.
NOTE
If your AAD domain and logon username domain do not match, you must specify the object ID of your user account with
the --assignee-object-id , not just the username for --assignee . You can obtain the object ID for your user account
with az ad user list.
For more information on how to use Azure RBAC to manage access to your Azure subscription resources, see the
following articles:
Add or remove Azure role assignments using Azure CLI
Add or remove Azure role assignments using the Azure portal
Add or remove Azure role assignments using Azure PowerShell.
NOTE
If you use "Require multi-factor authentication" as a grant access control for requesting access to the "Azure Windows VM
Sign-In" app, then you must supply multi-factor authentication claim as part of the client that initiates the RDP session to
the target Windows VM in Azure. The only way to achieve this on a Windows 10 client is to use Windows Hello for Business
PIN or biometric authentication with the RDP client. Support for biometric authentication was added to the RDP client in
Windows 10 version 1809. Remote desktop using Windows Hello for Business authentication is only available for
deployments that use cert trust model and currently not available for key trust model.
WARNING
Per-user Enabled/Enforced Azure Multi-Factor Authentication is not supported for VM sign-in.
NOTE
You can save the .RDP file locally on your computer to launch future remote desktop connections to your virtual machine
instead of having to navigate to virtual machine overview page in the Azure portal and using the connect option.
Troubleshoot
Troubleshoot deployment issues
The AADLoginForWindows extension must install successfully in order for the VM to complete the Azure AD join
process. Perform the following steps if the VM extension fails to install correctly.
1. RDP to the VM using the local administrator account and examine the CommandExecuti'n.log under
C:\WindowsAzure\Logs\Plugins\Microsoft.Azure.ActiveDirectory.AADLoginForWindows\0.3.1.0.
NOTE
If the extension restarts after the initial failure, the log with the deployment error will be saved as
CommandExecution_YYYYMMDDHHMMSSSSS.log. "
2. Open a command prompt on the VM and verify these queries against the Instance Metadata Service (IMDS)
Endpoint running on the Azure host returns:
C O M M A N D TO RUN EXP EC T ED O UT P UT
curl -H @{"Metadata"="true"} Valid access token issued by Azure Active Directory for the
"http://169.254.169.254/metadata/identity/oauth2/token?managed identity that is assigned to this VM
resource=urn:ms-
drs:enterpriseregistration.windows.net&api-
version=2018-02-01"
NOTE
The access token can be decoded using a tool like http://calebb.net/. Verify the "appid" in the access token matches
the managed identity assigned to the VM.
3. Ensure the required endpoints are accessible from the VM using the command line:
curl https://login.microsoftonline.com/ -D –
curl https://login.microsoftonline.com/ <TenantID> / -D –
NOTE
Replace <TenantID> with the Azure AD Tenant ID that is associated with the Azure subscription.
curl https://enterpriseregistration.windows.net/ -D -
curl https://device.login.microsoftonline.com/ -D -
curl https://pas.windows.net/ -D -
4. The Device State can be viewed by running dsregcmd /status . The goal is for Device State to show as
AzureAdJoined : YES .
NOTE
Azure AD join activity is captured in Event viewer under the User Device Registration\Admin log.
If AADLoginForWindows extension fails with certain error code, you can perform the following steps:
Issue 1: AADLoginForWindows extension fails to install with terminal error code '1007' and Exit code: -2145648574.
This exit code translates to DSREG_E_MSI_TENANTID_UNAVAILABLE because the extension is unable to query the
Azure AD Tenant information.
1. Verify the Azure VM can retrieve the TenantID from the Instance Metadata Service.
RDP to the VM as a local administrator and verify the endpoint returns valid Tenant ID by running
this command from an elevated command line on the VM:
curl -H Metadata:true http://169.254.169.254/metadata/identity/info?api-version=2018-02-01
2. The VM admin attempts to install the AADLoginForWindows extension, but a system assigned managed
identity has not enabled the VM first. Navigate to the Identity blade of the VM. From the System assigned
tab, verify Status is toggled to On.
Issue 2: AADLoginForWindows extension fails to install with Exit code: -2145648607
This Exit code translates to DSREG_AUTOJOIN_DISC_FAILED because the extension is not able to reach the
https://enterpriseregistration.windows.net endpoint.
1. Verify the required endpoints are accessible from the VM using the command line:
curl https://login.microsoftonline.com/ -D –
curl https://login.microsoftonline.com/ <TenantID> / -D –
NOTE
Replace <TenantID> with the Azure AD Tenant ID that is associated with the Azure subscription. If you need to find
the tenant ID, you can hover over your account name to get the directory / tenant ID, or select Azure Active
Directory > Properties > Directory ID in the Azure portal.
curl https://enterpriseregistration.windows.net/ -D -
curl https://device.login.microsoftonline.com/ -D -
curl https://pas.windows.net/ -D -
2. If any of the commands fails with "Could not resolve host <URL> ", try running this command to determine
the DNS server that is being used by the VM.
nslookup <URL>
NOTE
Replace <URL> with the fully qualified domain names used by the endpoints, such as "login.microsoftonline.com".
3. Next, see if specifying a public DNS server allows the command to succeed:
nslookup <URL> 208.67.222.222
4. If necessary, change the DNS server that is assigned to the network security group that the Azure VM
belongs to.
Issue 3: AADLoginForWindows extension fails to install with Exit code: 51
Exit code 51 translates to "This extension is not supported on the VM's operating system".
At Public Preview, the AADLoginForWindows extension is only intended to be installed on Windows Server 2019
or Windows 10 (Build 1809 or later). Ensure the version of Windows is supported. If the build of Windows is not
supported, uninstall the VM Extension.
Troubleshoot sign-in issues
Some common errors when you try to RDP with Azure AD credentials include no Azure roles assigned,
unauthorized client, or 2FA sign-in method required. Use the following information to correct these issues.
The Device and SSO State can be viewed by running dsregcmd /status . The goal is for Device State to show as
AzureAdJoined : YES and SSO State to show AzureAdPrt : YES .
Also, RDP Sign-in using Azure AD accounts is captured in Event viewer under the AAD\Operational event logs.
Azure role not assigned
If you see the following error message when you initiate a remote desktop connection to your VM:
Your account is configured to prevent you from using this device. For more info, contact your system
administrator
Verify that you have configured Azure RBAC policies for the VM that grants the user either the Virtual Machine
Administrator Login or Virtual Machine User Login role:
Unauthorized client
If you see the following error message when you initiate a remote desktop connection to your VM:
Your credentials did not work
Verify that the Windows 10 PC you are using to initiate the remote desktop connection is one that is either Azure
AD joined, or hybrid Azure AD joined to the same Azure AD directory where your VM is joined to. For more
information about device identity, see the article What is a device identity.
NOTE
Windows 10 Build 20H1 added support for an Azure AD registered PC to initiate RDP connection to your VM. When using
an Azure AD registered (not Azure AD joined or hybrid Azure AD joined) PC as the RDP client to initiate connections to your
VM, you must enter credentials in the format AzureAD\UPn (e.g. AzureAD\[email protected]).
Also, verify the AADLoginForWindows extension has not been uninstalled after Azure AD join has completed.
MFA sign-in method required
If you see the following error message when you initiate a remote desktop connection to your VM:
The sign-in method you're trying to use isn't allowed. Try a different sign-in method or contact your system
administrator.
If you have configured a Conditional Access policy that requires multi-factor authentication (MFA) before you can
access the resource, then you need to ensure that the Windows 10 PC initiating the remote desktop connection to
your VM signs in using a strong authentication method such as Windows Hello. If you do not use a strong
authentication method for your remote desktop connection, you will see the previous error.
If you have not deployed Windows Hello for Business and if that is not an option for now, you can exclude MFA
requirement by configuring Conditional Access policy that excludes "Azure Windows VM Sign-In" app from the list
of cloud apps that require MFA. To learn more about Windows Hello for Business, see Windows Hello for Business
Overview.
NOTE
Windows Hello for Business PIN authentication with RDP has been supported by Windows 10 for several versions, however
support for Biometric authentication with RDP was added in Windows 10 version 1809. Using Windows Hello for Business
auth during RDP is only available for deployments that use cert trust model and currently not available for key trust model.
Preview feedback
Share your feedback about this preview feature or report issues using it on the Azure AD feedback forum.
Next steps
For more information on Azure Active Directory, see What is Azure Active Directory
Device identity and desktop virtualization
9/7/2020 • 4 minutes to read • Edit Online
Administrators commonly deploy virtual desktop infrastructure (VDI) platforms hosting Windows operating
systems in their organizations. Administrators deploy VDI to:
Streamline management.
Reduce costs through consolidation and centralization of resources.
Deliver end-users mobility and the freedom to access virtual desktops anytime, from anywhere, on any device.
There are two primary types of virtual desktops:
Persistent
Non-persistent
Persistent versions use a unique desktop image for each user or a pool of users. These unique desktops can be
customized and saved for future use.
Non-persistent versions use a collection of desktops that users can access on an as needed basis. These non-
persistent desktops are reverted to their original state, in case of Windows current1 this happens when a virtual
machine goes through a shutdown/restart/OS reset process and in case of Windows down-level2 this happens
when a user signs out.
There has been a rise in non-persistent VDI deployments as remote work continues to be the new norm. As
customers deploy non-persistent VDI, it is important to ensure that you manage device churn that could be caused
due to frequent device registration without having a proper strategy for device lifecycle management.
IMPORTANT
Failure to manage device churn, can lead to pressure increase on your tenant quota usage consumption and potential risk of
service interruption, if you run out of tenant quota. You should follow the guidance documented below when deploying non
persistent VDI environments to avoid this situation.
This article will cover Microsoft's guidance to administrators on support for device identity and VDI. For more
information about device identity, see the article What is a device identity.
Supported scenarios
Before configuring device identities in Azure AD for your VDI environment, familiarize yourself with the supported
scenarios. The table below illustrates which provisioning scenarios are supported. Provisioning in this context
implies that an administrator can configure device identities at scale without requiring any end-user interaction.
Non-Persistent No
Non-Persistent No
1 Windows current devices represent Windows 10, Windows Server 2016, and Windows Server 2019.
2 Windows down-level devices represent Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server
2012, and Windows Server 2012 R2. For support information on Windows 7, see Support for Windows 7 is
ending. For support information on Windows Server 2008 R2, see Prepare for Windows Server 2008 end of
support.
3 A Federated identity infrastructure environment represents an environment with an identity provider such as
AD FS or other third-party IDP.
4 A Managed identity infrastructure environment represents an environment with Azure AD as the identity
provider deployed with either password hash sync (PHS) or pass-through authentication (PTA) with seamless
single sign-on.
5 Non-Persistence suppor t for Windows current requires additional consideration as documented below in
guidance section. This scenario requires Windows 10 1803, Windows Server 2019 or Windows Server (Semi-
annual channel) starting version 1803
6 Non-Persistence suppor t for Windows down-level requires additional consideration as documented below
in guidance section.
Microsoft’s guidance
Administrators should reference the following articles, based on their identity infrastructure, to learn how to
configure hybrid Azure AD join.
Configure hybrid Azure Active Directory join for federated environment
Configure hybrid Azure Active Directory join for managed environment
When deploying non-persistent VDI, Microsoft recommends that IT administrators implement the guidance below.
Failure to do so will result in your directory having lots of stale Hybrid Azure AD joined devices that were
registered from your non-persistent VDI platform resulting in increased pressure on your tenant quota and risk of
service interruption due to running out of tenant quota.
If you are relying on the System Preparation Tool (sysprep.exe) and if you are using a pre-Windows 10 1809
image for installation, make sure that image is not from a device that is already registered with Azure AD as
hybrid Azure AD joined.
If you are relying on a Virtual Machine (VM) snapshot to create additional VMs, make sure that snapshot is not
from a VM that is already registered with Azure AD as Hybrid Azure AD join.
Create and use a prefix for the display name (e.g. NPVDI-) of the computer that indicates the desktop as non-
persistent VDI-based.
For Windows down-level:
Implement autoworkplacejoin /leave command as part of logoff script. This command should be
triggered in the context of the user and should be execute before the user has logged off completely and
while there is still network connectivity.
For Windows current in a Federated environment (e.g. AD FS):
Implement dsregcmd /join as part of VM boot sequence.
DO NOT execute dsregcmd /leave as part of VM shutdown/restart process.
Define and implement process for managing stale devices.
Once you have a strategy to identify your non-persistent Hybrid Azure AD joined devices (e.g. using
computer display name prefix), you should be more aggressive on the clean-up of these devices to
ensure your directory does not get consumed with lots of stale devices.
For non-persistent VDI deployments on Windows current and down-level, you should delete devices that
have ApproximateLastLogonTimestamp of older than 15 days.
Next steps
Configuring hybrid Azure Active Directory join for federated environment
Deploy a secure, Azure-managed workstation
9/7/2020 • 18 minutes to read • Edit Online
Now that you understand secure workstations, it's time to begin the process of deployment. With this guidance,
you use defined profiles to create a workstation that's more secure from the start.
Select a profile before deploying the solution. You can use multiple profiles simultaneously in a deployment and
assign them with tags or groups.
NOTE
Apply any of the profiles as needed by your requirements. You can move to another profile by assigning it in Microsoft
Intune.
SP EC IA L IZ E
P RO F IL E LO W EN H A N C ED H IGH D SEC URED ISO L AT ED
Device - Yes
Azure AD
registered
Internet Yes
blocked
(inbound/o
utbound)
NOTE
In the secure workstation guidance devices will be assigned with profiles and policies. Users will not have the policies applied
to them directly, allowing device sharing (shared devices) to be in effect. If a secure workstation is not shared in your
deployment, or individual user policies are needed, assignment of the user policy profiles can be assigned to the user and
device.
License requirements
The concepts covered in this guide assume you have Microsoft 365 Enterprise E5 or an equivalent SKU. Some of
the recommendations in this guide can be implemented with lower SKUs. For more information, see Microsoft 365
Enterprise licensing.
To automate license provisioning, consider group-based licensing for your users.
4. You can add any other users that will be managing secure workstations.
5. Select Create .
6. For the workstation devices group, enter:
Group type - Security
Group name - Secure Workstations
Membership type - Assigned
7. Select Create .
Azure AD device configuration
Specify who can join devices to Azure AD
Configure your devices setting in Active Directory to allow your administrative security group to join devices to
your domain. To configure this setting from the Azure portal:
1. Go to Azure Active Director y > Devices > Device settings .
2. Choose Selected under Users may join devices to Azure AD , and then select the "Secure Workstation
Users" group.
Removal of local admin rights
This method requires that users of the VIP, DevOps, and secure-level workstations have no administrator rights on
their machines. To configure this setting from the Azure portal:
1. Go to Azure Active Director y > Devices > Device settings .
2. Select None under Additional local administrators on Azure AD joined devices .
Require multi-factor authentication to join devices
To further strengthen the process of joining devices to Azure AD:
1. Go to Azure Active Director y > Devices > Device settings .
2. Select Yes under Require Multi-Factor Auth to join devices .
3. Select Save .
Configure mobile device management
From the Azure portal:
1. Browse to Azure Active Director y > Mobility (MDM and MAM) > Microsoft Intune .
2. Change the MDM user scope setting to All .
3. Select Save .
These steps allow you to manage any device with Intune. For more information, see Intune Quickstart: Set up
automatic enrollment for Windows 10 devices. You create Intune configuration and compliance policies in a future
step.
Azure AD Conditional Access
Azure AD Conditional Access can help restrict privileged administrative tasks to compliant devices. Predefined
members of the Secure Workstation Users group are required to perform multi-factor authentication when
signing in to cloud applications. A best practice is to exclude emergency access accounts from the policy. For more
information, see Manage emergency access accounts in Azure AD.
Intune configuration
Configure enrollment status
It's important to ensure that your secure workstation is a trusted clean device. When purchasing new devices, you
can insist that they're factory set to Windows 10 Pro in S mode, which limits exposure to vulnerabilities during
supply chain management. After you receive a device from your supplier, you can use Autopilot to change it from S
mode. The following guidance provides details on applying the transformation process.
To ensure that devices are fully configured before use, Intune provides a means to Block device use until all
apps and profiles are installed .
From the Azure por tal :
1. Go to Microsoft Intune > Device enrollment > Windows enrollment > Enrollment Status Page >
Default > Settings .
2. Set Show app profile installation progress to Yes .
3. Set Block device use until all apps and profiles are installed to Yes .
Create an Autopilot deployment profile
After creating a device group, you must create a deployment profile to configure the Autopilot devices.
In Intune in the Azure portal:
1. Select Device enrollment > Windows enrollment > Deployment Profiles > Create Profile .
2. Enter:
Name - Secure workstation deployment profile .
Description - Deployment of secure workstations .
Set Conver t all targeted devices to Autopilot to Yes . This setting makes sure that all devices in the
list get registered with the Autopilot deployment service. Allow 48 hours for the registration to be
processed.
3. Select Next .
For Deployment mode , choose Self-Deploying (Preview) . Devices with this profile are associated
with the user who enrolls the device. User credentials are required to enroll the device. It's essential to
note that deploying a device in the Self-Deploying mode will allow you to deploy laptops in a shared
model. No user assignment will happen until the device is assigned to a user for the first time. As a
result, any user policies such as BitLocker will not be enabled until a user assignment is completed. For
more information about how to log on to a secured device, see selected profiles.
The Join to Azure AD as box should show Azure AD joined and be grayed out.
Select your Language (Region), User account type standard .
4. Select Next .
Select a scope tag if you have preconfigured one.
5. Select Next .
6. Choose Assignments > Assign to > Selected Groups . In Select groups to include , choose Secure
Workstations .
7. Select Next .
8. Select Create to create the profile. The Autopilot deployment profile is now available to assign to devices.
Device enrollment in Autopilot provides a different user experience based on device type and role. In our
deployment example, we illustrate a model where the secured devices are bulk deployed and can be shared, but
when used for the first time, the device is assigned to a user. For more information, see Intune Autopilot device
enrollment.
Configure Windows Update
Keeping Windows 10 up to date is one of the most important things you can do. To maintain Windows in a secure
state, you deploy an update ring to manage the pace that updates are applied to workstations.
This guidance recommends that you create a new update ring and change the following default settings:
In the Azure portal:
1. Go to Microsoft Intune > Software updates > Windows 10 Update Rings .
2. Enter:
Name - Azure-managed workstation updates
Servicing channel - Windows Insider - Fast
Quality update deferral (days) - 3
Feature update deferral period (days) - 3
Automatic update behavior - Auto install and reboot without end-user control
Block user from pausing Windows updates - Block
Require user's approval to restart outside of work hours - Required
Allow user to restart (engaged restart) - Required
Transition users to engaged restart after an auto-restart (days) - 3
Snooze engaged restart reminder (days) - 3
Set deadline for pending restarts (days) - 3
3. Select Create .
4. On the Assignments tab, add the Secure Workstations group.
For more information about Windows Update policies, see Policy CSP - Update.
Windows Defender ATP Intune integration
Windows Defender ATP and Microsoft Intune work together to help prevent security breaches. They can also limit
the impact of breaches. ATP capabilities provide real-time threat detection as well as enable extensive auditing and
logging of the end-point devices.
To configure integration of Windows Defender ATP and Intune, go to the Azure portal.
1. Browse to Microsoft Intune > Device compliance > Windows Defender ATP .
2. In step 1 under Configuring Windows Defender ATP , select Connect Windows Defender ATP to
Microsoft Intune in the Windows Defender Security Center .
3. In the Windows Defender Security Center:
a. Select Settings > Advanced features .
b. For Microsoft Intune connection , choose On .
c. Select Save preferences .
4. After a connection is established, return to Intune and select Refresh at the top.
5. Set Connect Windows devices version 10.0.15063 and above to Windows Defender ATP to On .
6. Select Save .
For more information, see Windows Defender Advanced Threat Protection.
Finish workstation profile hardening
To successfully complete the hardening of the solution, download and execute the appropriate script. Find the
download links for your desired profile level :
P RO F IL E DO W N LO A D LO C AT IO N F IL EN A M E
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable"=dword:00000001
"ProxyServer"="127.0.0.1:80"
"ProxyOverride"="*.azure.com;*.azure.net;*.microsoft.com;*.windowsupdate.com;*.microsoftonline.com;*.microsoft
online.cn;*.windows.net;*.windowsazure.com;*.windowsazure.cn;*.azure.cn;*.loganalytics.io;*.applicationinsight
s.io;*.vsassets.io;*.azure-
automation.net;*.visualstudio.com,portal.office.com;*.aspnetcdn.com;*.sharepointonline.com;*.msecnd.net;*.msoc
dn.com;*.webtrends.com"
"AutoDetect"=dword:00000000
If you are looking to provide more granularity to your blocking rules, you can refer to the Spamhaus Project who
maintains the Domain Block List (DBL): a good resource to use as an advanced set of rules to implement for
blocking sites.
Manage local applications
The secure workstation moves to a truly hardened state when local applications are removed, including
productivity applications. Here, you add Chrome as the default browser and use Intune to limit a user's ability to
modify the browser and its plug-ins.
Deploy applications using Intune
In some situations, applications like the Google Chrome browser are required on the secured workstation. The
following example provides instructions to install Chrome to devices in the security group Secure Workstations .
1. Download the offline installer Chrome bundle for Windows 64 bit.
2. Extract the files and make note of the location of the GoogleChromeStandaloneEnterprise64.msi file.
3. In the Azure por tal browse to Microsoft Intune > Client apps > Apps > Add .
4. Under App type , choose Line-of-business .
5. Under App package file , select the GoogleChromeStandaloneEnterprise64.msi file from the extracted location
and select OK .
6. Under App information , provide a description and a publisher. Select OK .
7. Select Add .
8. On the Assignments tab, select Available for enrolled devices under Assignment type .
9. Under Included Groups , add the Secure Workstations group.
10. Select OK , and then select Save .
For more information on configuring Chrome settings, see Manage Chrome Browser with Microsoft Intune.
Configuring the company portal for custom apps
In a secured mode, application installation is restricted to the Intune company portal. However, installing the portal
requires access to Microsoft Store. In your secured solution, you can make the company portal available to all
devices through an offline mode.
An Intune-managed copy of the Company Portal gives you on-demand access to additional tools that you can
push down to users of the secured workstations.
You might need to install Windows 32-bit apps or other apps whose deployment require special preparations. In
such cases, the Microsoft win32 content prep tool can provide a ready-to-use .intunewin format file for
installation.
Conditional Access only allowing secured workstation ability to access Azure portal
Azure AD offers the ability to manage and restrict, who and what can access your Azure cloud management portal.
Enabling Conditional Access will assure that only your secure workstation can manage or change resources. It's
essential that while deploying this feature you consider, if emergency access functionality can or should be used
only for extreme cases and the account managed through policy.
NOTE
You will need to create a user group, and include your emergency user that can bypass the Conditional Access policy. For our
example we have a security group called Emergency BreakGlass
1. Browse to the Azure por tal > Microsoft Intune > Conditional Access - Policies > New Policy .
2. Provide a Name for the policy.
3. Select User and Groups > Select users and groups
4. Select Include > Director y roles > Choose the roles > Global Administrator, Privileged Role Administrator,
Privileged Authentication Administrator, Security Administrator, Compliance Administrator, Conditional Access
Administrator, Application Administrator, Cloud Application Administrator, Intune Service Administrator
5. Select Exclude > Choose Users and groups > Select Select excluded users > Select your Emergency
BreakGlass group.
6. Select Cloud apps or actions > Select All cloud apps
7. Select Conditions > Select Device Platforms > Choose configure Yes > Select Select Device platforms
Choose Windows
8. Select Access controls > Select Grant Access Yes > Choose Require device to be marked as compliant .
9. Select Enable Policy > On
This policy set will ensure that your Administrators must use a compliant Windows device, which is set by Intune,
and WDATP.
Organizations should also consider blocking legacy authentication protocols in their environments. There are
multiple ways to accomplish this task, for more information about blocking legacy authentication protocols see the
article, How to: Block legacy authentication to Azure AD with Conditional Access.
Use PowerShell to create custom settings
You can also use PowerShell to extend host management capabilities. This example script sets up a default
background on the host. It's a capability that's also available through the Azure portal and profiles. The example
script serves only to illustrate the PowerShell functionality.
You might need to set up some custom controls and settings on your secure workstations. This example changes
the background of the workstation by using Powershell's ability to easily identify the device as a ready-to-use,
secure workstation.
The SetDesktopBackground.ps1 script from the Microsoft Scripting Center allows Windows to load this free,
generic background image on startup.
1. Download the script to a local device.
2. Update the customerXXXX and the download location of the background image. In our example, we replace
customerXXXX to backgrounds.
3. Browse to the Azure por tal > Microsoft Intune > Device configuration > PowerShell scripts > Add .
4. Provide a Name for the script and specify the Script location .
5. Select Configure .
a. Set Run this script using the logged on credentials to Yes .
b. Select OK .
6. Select Create .
7. Select Assignments > Select groups .
a. Add the security group Secure Workstations .
b. Select Save .
NOTE
The script requires elevated rights. It runs as remote signed. The
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned command allows the script to run correctly.
You can gather this information by signing in to a Windows 10 version 1809 or higher device. Your
hardware reseller can also provide this information.
2. In the Azure por tal , go to Microsoft Intune > Device enrollment > Windows enrollment > Devices -
Manage Windows Autopilot devices .
3. Select Impor t and choose your CSV file.
4. Add the device to the Secure Workstations security group.
5. On the Windows 10 device you wish to configure, go to Windows Settings > Update & Security >
Recover y .
a. Choose Get star ted under Reset this PC .
b. Follow the prompts to reset and reconfigure the device with the profile and compliance policies
configured.
After you have configured the device, complete a review and check the configuration. Confirm that the first device
is configured correctly before continuing your deployment.
Assign devices
To assign devices and users, you need to map the selected profiles to your security group. All new users who
require permissions to the service must be added to the security group as well.
NOTE
The Specialized workstation profile contains the AppLocker monitoring policies. Deployment of the policies is required for
monitoring of application activity on a client
Monitoring
Learn how to Detect threats with Azure Sentinel
Investigate incidents with Azure Sentinel
Set up automated threat responses in Azure Sentinel
Understand how to review your Exposure Score
Review Security recommendation
Manage security Remediations
Manage endpoint detection and response
Monitor profiles with Intune profile monitoring.
Next steps
Learn more about Microsoft Intune.
Understand Azure AD.
Work with Microsoft Defender Advanced Threat Protection
Discover Azure Sentinel
Troubleshooting hybrid Azure Active Directory
joined devices
9/7/2020 • 12 minutes to read • Edit Online
The content of this article is applicable to devices running Windows 10 or Windows Server 2016.
For other Windows clients, see the article Troubleshooting hybrid Azure Active Directory joined down-level
devices.
This article assumes that you have configured hybrid Azure Active Directory joined devices to support the
following scenarios:
Device-based Conditional Access
Enterprise roaming of settings
Windows Hello for Business
This document provides troubleshooting guidance to resolve potential issues.
For Windows 10 and Windows Server 2016, hybrid Azure Active Directory join supports the Windows 10
November 2015 Update and above.
AzureAdJoined: YES
EnterpriseJoined: NO
DeviceId: 5820fbe9-60c8-43b0-bb11-44aee233e4e7
Thumbprint: B753A6679CE720451921302CA873794D94C6204A
KeyContainerId: bae6a60b-1d2f-4d2a-a298-33385f6d05e9
KeyProvider: Microsoft Platform Crypto Provider
TpmProtected: YES
KeySignTest: : MUST Run elevated to test.
Idp: login.windows.net
TenantId: 72b988bf-xxxx-xxxx-xxxx-2d7cd011xxxx
TenantName: Contoso
AuthCodeUrl: https://login.microsoftonline.com/msitsupp.microsoft.com/oauth2/authorize
AccessTokenUrl: https://login.microsoftonline.com/msitsupp.microsoft.com/oauth2/token
MdmUrl: https://enrollment.manage-beta.microsoft.com/EnrollmentServer/Discovery.svc
MdmTouUrl: https://portal.manage-beta.microsoft.com/TermsOfUse.aspx
dmComplianceUrl: https://portal.manage-beta.microsoft.com/?portalAction=Compliance
SettingsUrl:
eyJVcmlzIjpbImh0dHBzOi8va2FpbGFuaS5vbmUubWljcm9zb2Z0LmNvbS8iLCJodHRwczovL2thaWxhbmkxLm9uZS5taWNyb3NvZnQuY29tL
yJdfQ==
JoinSrvVersion: 1.0
JoinSrvUrl: https://enterpriseregistration.windows.net/EnrollmentServer/device/
JoinSrvId: urn:ms-drs:enterpriseregistration.windows.net
KeySrvVersion: 1.0
KeySrvUrl: https://enterpriseregistration.windows.net/EnrollmentServer/key/
KeySrvId: urn:ms-drs:enterpriseregistration.windows.net
DomainJoined: YES
DomainName: CONTOSO
+----------------------------------------------------------------------+
| User State |
+----------------------------------------------------------------------+
NgcSet: YES
NgcKeyId: {C7A9AEDC-780E-4FDA-B200-1AE15561A46B}
WorkplaceJoined: NO
WamDefaultSet: YES
WamDefaultAuthority: organizations
WamDefaultId: https://login.microsoft.com
WamDefaultGUID: {B16898C6-A148-4967-9171-64D755DA8520} (AzureAd)
AzureAdPrt: YES
+----------------------------------------------------------------------+
Previous Registration : 2019-01-31 09:16:43.000 UTC
Registration Type : sync
Error Phase : join
Client ErrorCode : 0x801c03f2
Server ErrorCode : DirectoryError
Server Message : The device object by the given id (e92325d0-xxxx-xxxx-xxxx-94ae875d5245) is not
found.
Https Status : 400
Request Id : 6bff0bd9-820b-484b-ab20-2a4f7b76c58e
+----------------------------------------------------------------------+
Look for 'DRS Discovery Test' in the 'Diagnostic Data' section of the join status output. This section is displayed
only if the device is domain joined and is unable to hybrid Azure AD join.
+----------------------------------------------------------------------+
| Diagnostic Data |
+----------------------------------------------------------------------+
+----------------------------------------------------------------------+
O l d e r W i n d o w s 1 0 v e r si o n s
Use Event Viewer logs to locate the phase and errorcode for the join failures.
1. Open the User Device Registration event logs in event viewer. Located under Applications and Ser vices
Log > Microsoft > Windows > User Device Registration
2. Look for events with the following eventIDs 201
N e t w o rk e rro rs
WININET_E_CANNOT_CONNECT (0x80072efd/-2147012867)
Reason: Connection with the server could not be established
Resolution: Ensure network connectivity to the required Microsoft resources. For more information, see
Network connectivity requirements.
WININET_E_TIMEOUT (0x80072ee2/-2147012894)
Reason: General network timeout.
Resolution: Ensure network connectivity to the required Microsoft resources. For more information, see
Network connectivity requirements.
WININET_E_DECODING_FAILED (0x80072f8f/-2147012721)
Reason: Network stack was unable to decode the response from the server.
Resolution: Ensure that network proxy is not interfering and modifying the server response.
HTTP e rro rs
DSREG_DISCOVERY_TENANT_NOT_FOUND (0x801c003a/-2145648582)
Reason: SCP object configured with wrong tenant ID. Or no active subscriptions were found in the
tenant.
Resolution: Ensure SCP object is configured with the correct Azure AD tenant ID and active
subscriptions or present in the tenant.
DSREG_SERVER_BUSY (0x801c0025/-2145648603)
Reason: HTTP 503 from DRS server.
Resolution: Server is currently unavailable. future join attempts will likely succeed once server is back
online.
O t h e r e rro rs
E_INVALIDDATA (0x8007000d/-2147024883)
Reason: Server response JSON couldn't be parsed. Likely due to proxy returning HTTP 200 with an
HTML auth page.
Resolution: If the on-premises environment requires an outbound proxy, the IT admin must ensure that
the SYSTEM context on the device is able to discover and silently authenticate to the outbound proxy.
Authentication phase
Applicable only for federated domain accounts.
Reasons for failure:
Unable to get an Access token silently for DRS resource.
Windows 10 devices acquire auth token from the federation service using Integrated Windows
Authentication to an active WS-Trust endpoint. Details: Federation Service Configuration
Common error codes:
Use Event Viewer logs to locate the error code, suberror code, server error code, and server error message.
1. Open the User Device Registration event logs in event viewer. Located under Applications and Ser vices
Log > Microsoft > Windows > User Device Registration
2. Look for events with the following eventID 305
C o n fi g u r a t i o n e r r o r s
ERROR_ADAL_PROTOCOL_NOT_SUPPORTED (0xcaa90017/-894894057)
Reason: Authentication protocol is not WS-Trust.
Resolution: The on-premises identity provider must support WS-Trust
ERROR_ADAL_FAILED_TO_PARSE_XML (0xcaa9002c/-894894036)
Reason: On-premises federation service did not return an XML response.
Resolution: Ensure MEX endpoint is returning a valid XML. Ensure proxy is not interfering and returning
non-xml responses.
ERROR_ADAL_COULDNOT_DISCOVER_USERNAME_PASSWORD_ENDPOINT (0xcaa90023/-
894894045)
Reason: Could not discover endpoint for username/password authentication.
Resolution: Check the on-premises identity provider settings. Ensure that the WS-Trust endpoints are
enabled and ensure the MEX response contains these correct endpoints.
N et w o r k er r o r s
ERROR_ADAL_INTERNET_TIMEOUT (0xcaa82ee2/-894947614)
Reason: General network timeout.
Resolution: Ensure that https://login.microsoftonline.com is accessible in the SYSTEM context. Ensure
the on-premises identity provider is accessible in the SYSTEM context. For more information, see
Network connectivity requirements.
ERROR_ADAL_INTERNET_CONNECTION_ABORTED (0xcaa82efe/-894947586)
Reason: Connection with the auth endpoint was aborted.
Resolution: Retry after sometime or try joining from an alternate stable network location.
ERROR_ADAL_INTERNET_SECURE_FAILURE (0xcaa82f8f/-894947441)
Reason: The Transport Layer Security (TLS), previously known as Secure Sockets Layer (SSL), certificate
sent by the server could not be validated.
Resolution: Check the client time skew. Retry after sometime or try joining from an alternate stable
network location.
ERROR_ADAL_INTERNET_CANNOT_CONNECT (0xcaa82efd/-894947587)
Reason: The attempt to connect to https://login.microsoftonline.com failed.
Resolution: Check network connection to https://login.microsoftonline.com .
O t h er er r o r s
ERROR_ADAL_SERVER_ERROR_INVALID_GRANT (0xcaa20003/-895352829)
Reason: SAML token from the on-premises identity provider was not accepted by Azure AD.
Resolution: Check the federation server settings. Look for the server error code in the authentication
logs.
ERROR_ADAL_WSTRUST_REQUEST_SECURITYTOKEN_FAILED (0xcaa90014/-894894060)
Reason: Server WS-Trust response reported fault exception and it failed to get assertion
Resolution: Check the federation server settings. Look for the server error code in the authentication
logs.
ERROR_ADAL_WSTRUST_TOKEN_REQUEST_FAIL (0xcaa90006/-894894074)
Reason: Received an error when trying to get access token from the token endpoint.
Resolution: Look for the underlying error in the ADAL log.
ERROR_ADAL_OPERATION_PENDING (0xcaa1002d/-895418323)
Reason: General ADAL failure
Resolution: Look for the suberror code or server error code from the authentication logs.
Join Phase
Reasons for failure:
Find the registration type and look for the error code from the list below.
Windows 10 1803 and above
Look for 'Previous Registration' subsection in the 'Diagnostic Data' section of the join status output. This section is
displayed only if the device is domain joined and is unable to hybrid Azure AD join. 'Registration Type' field
denotes the type of join performed.
+----------------------------------------------------------------------+
Previous Registration : 2019-01-31 09:16:43.000 UTC
Registration Type : sync
Error Phase : join
Client ErrorCode : 0x801c03f2
Server ErrorCode : DirectoryError
Server Message : The device object by the given id (e92325d0-7ac4-4714-88a1-94ae875d5245) is not
found.
Https Status : 400
Request Id : 6bff0bd9-820b-484b-ab20-2a4f7b76c58e
+----------------------------------------------------------------------+
H T T P e r r o r s r e t u r n e d fr o m D R S se r v e r
DSREG_E_DIRECTORY_FAILURE (0x801c03f2/-2145647630)
Reason: Received an error response from DRS with ErrorCode: "DirectoryError"
Resolution: Refer to the server error code for possible reasons and resolutions.
DSREG_E_DEVICE_AUTHENTICATION_ERROR (0x801c0002/-2145648638)
Reason: Received an error response from DRS with ErrorCode: "AuthenticationError" and ErrorSubCode
is NOT "DeviceNotFound".
Resolution: Refer to the server error code for possible reasons and resolutions.
DSREG_E_DEVICE_INTERNALSERVICE_ERROR (0x801c0006/-2145648634)
Reason: Received an error response from DRS with ErrorCode: "DirectoryError"
Resolution: Refer to the server error code for possible reasons and resolutions.
T P M er r o r s
NTE_BAD_KEYSET (0x80090016/-2146893802)
Reason: TPM operation failed or was invalid
Resolution: Likely due to a bad sysprep image. Ensure the machine from which the sysprep image was
created is not Azure AD joined, hybrid Azure AD joined, or Azure AD registered.
TPM_E_PCP_INTERNAL_ERROR (0x80290407/-2144795641)
Reason: Generic TPM error.
Resolution: Disable TPM on devices with this error. Windows 10 version 1809 and higher automatically
detects TPM failures and completes hybrid Azure AD join without using the TPM.
TPM_E_NOTFIPS (0x80280036/-2144862154)
Reason: TPM in FIPS mode not currently supported.
Resolution: Disable TPM on devices with this error. Windows 1809 automatically detects TPM failures
and completes hybrid Azure AD join without using the TPM.
NTE_AUTHENTICATION_IGNORED (0x80090031/-2146893775)
Reason: TPM locked out.
Resolution: Transient error. Wait for the cooldown period. Join attempt after some time should succeed.
More Information can be found in the article TPM fundamentals
N e t w o r k Er r o r s
WININET_E_TIMEOUT (0x80072ee2/-2147012894)
Reason: General network time out trying to register the device at DRS
Resolution: Check network connectivity to https://enterpriseregistration.windows.net .
WININET_E_NAME_NOT_RESOLVED (0x80072ee7/-2147012889)
Reason: The server name or address could not be resolved.
Resolution: Check network connectivity to https://enterpriseregistration.windows.net . Ensure DNS
resolution for the hostname is accurate in the n/w and on the device.
WININET_E_CONNECTION_ABORTED (0x80072efe/-2147012866)
Reason: The connection with the server was terminated abnormally.
Resolution: Retry after sometime or try joining from an alternate stable network location.
F e d e r a t e d j o i n se r v e r Er r o r s
DirectoryError Your request is throttled Expected error. Possibly due Retry join after the
temporarily. Please try after to making multiple cooldown period
300 seconds. registration requests in
quick succession.
Sy n c j o i n se r v e r Er r o r s
DirectoryError AADSTS90002: Tenant not Tenant ID in SCP object is Ensure SCP object is
found. This error may incorrect configured with the correct
happen if there are no Azure AD tenant ID and
active subscriptions for the active subscriptions and
tenant. Check with your present in the tenant.
subscription administrator.
DirectoryError The device object by the Expected error for sync join. Wait for the Azure AD
given ID is not found. The device object has not Connect sync to complete
synced from AD to Azure and the next join attempt
AD after sync completion will
resolve the issue
SERVER ERRO R C O DE SERVER ERRO R M ESSA GE P O SSIB L E REA SO N S RESO L UT IO N
AuthenticationError The verification of the target The certificate on the Azure Wait for the Azure AD
computer's SID AD device doesn't match the Connect sync to complete
certificate used to sign the and the next join attempt
blob during the sync join. after sync completion will
This error typically means resolve the issue
sync hasn’t completed yet.
Known issues
Under Settings -> Accounts -> Access Work or School, Hybrid Azure AD joined devices may show two
different accounts, one for Azure AD and one for on-premises AD, when connected to mobile hotspots or
external WiFi networks. This is only a UI issue and does not have any impact on functionality.
Next steps
Continue troubleshooting devices using the dsregcmd command
For questions, see the device management FAQ
Troubleshooting devices using the dsregcmd
command
3/23/2020 • 9 minutes to read • Edit Online
Device state
This section lists the device join state parameters. The table below lists the criteria for the device to be in various
join states.
NOTE
Workplace Join (Azure AD registered) state is displayed in the "User State" section
AzureAdJoined: - Set to “YES” if the device is Joined to Azure AD. “NO” otherwise.
EnterpriseJoined: - Set to “YES” if the device is Joined to an on-premises DRS. A device cannot be both
EnterpriseJoined and AzureAdJoined.
DomainJoined: - Set to “YES” if the device is joined to a domain (AD).
DomainName: - Set to the name of the domain if the device is joined to a domain.
Sample device state output
+----------------------------------------------------------------------+
| Device State |
+----------------------------------------------------------------------+
AzureAdJoined : YES
EnterpriseJoined : NO
DomainJoined : YES
DomainName : HYBRIDADFS
+----------------------------------------------------------------------+
Device details
Displayed only when the device is Azure AD joined or hybrid Azure AD joined (not Azure AD registered). This
section lists device identifying details stored in the cloud.
DeviceId: - Unique ID of the device in the Azure AD tenant
Thumbprint: - Thumbprint of the device certificate
DeviceCer tificateValidity: - Validity of the device certificate
KeyContainerId: - ContainerId of the device private key associated with the device certificate
KeyProvider : - KeyProvider (Hardware/Software) used to store the device private key.
TpmProtected: - “YES” if the device private key is stored in a Hardware TPM.
Sample device details output
+----------------------------------------------------------------------+
| Device Details |
+----------------------------------------------------------------------+
DeviceId : e92325d0-xxxx-xxxx-xxxx-94ae875dxxxx
Thumbprint : D293213EF327483560EED8410CAE36BB67208179
DeviceCertificateValidity : [ 2019-01-11 21:02:50.000 UTC -- 2029-01-11 21:32:50.000 UTC ]
KeyContainerId : 13e68a58-xxxx-xxxx-xxxx-a20a2411xxxx
KeyProvider : Microsoft Software Key Storage Provider
TpmProtected : NO
+----------------------------------------------------------------------+
Tenant details
Displayed only when the device is Azure AD joined or hybrid Azure AD joined (not Azure AD registered). This
section lists the common tenant details when a device is joined to Azure AD.
NOTE
If the MDM URLs in this section are empty, it indicates that the MDM was either not configured or current user is not in
scope of MDM enrollment. Check the Mobility settings in Azure AD to review your MDM configuration.
NOTE
Even if you see MDM URLs this does not mean that the device is managed by an MDM. The information is displayed if the
tenant has MDM configuration for auto-enrollment even if the device itself is not managed.
TenantName : HybridADFS
TenantId : 96fa76d0-xxxx-xxxx-xxxx-eb60cc22xxxx
Idp : login.windows.net
AuthCodeUrl : https://login.microsoftonline.com/96fa76d0-xxxx-xxxx-xxxx-
eb60cc22xxxx/oauth2/authorize
AccessTokenUrl : https://login.microsoftonline.com/96fa76d0-xxxx-xxxx-xxxx-
eb60cc22xxxx/oauth2/token
MdmUrl : https://enrollment.manage-beta.microsoft.com/EnrollmentServer/Discovery.svc
MdmTouUrl : https://portal.manage-beta.microsoft.com/TermsOfUse.aspx
MdmComplianceUrl : https://portal.manage-beta.microsoft.com/?portalAction=Compliance
SettingsUrl :
eyJVxxxxIjpbImh0dHBzOi8va2FpbGFuaS5vbmUubWljcm9zb2Z0LmNvbS8iLCJodHRwczovL2thaWxhbmkxLm9uZS5taWNyb3NvZnQuY29tL
yxxxx==
JoinSrvVersion : 1.0
JoinSrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/device/
JoinSrvId : urn:ms-drs:enterpriseregistration.windows.net
KeySrvVersion : 1.0
KeySrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/key/
KeySrvId : urn:ms-drs:enterpriseregistration.windows.net
WebAuthNSrvVersion : 1.0
WebAuthNSrvUrl : https://enterpriseregistration.windows.net/webauthn/96fa76d0-xxxx-xxxx-xxxx-
eb60cc22xxxx/
WebAuthNSrvId : urn:ms-drs:enterpriseregistration.windows.net
DeviceManagementSrvVer : 1.0
DeviceManagementSrvUrl : https://enterpriseregistration.windows.net/manage/96fa76d0-xxxx-xxxx-xxxx-
eb60cc22xxxx/
DeviceManagementSrvId : urn:ms-drs:enterpriseregistration.windows.net
+----------------------------------------------------------------------+
User state
This section lists the status of various attributes for the user currently logged into the device.
NOTE
The command must run in a user context to retrieve valid status.
NgcSet: - Set to “YES” if a Windows Hello key is set for the current logged on user.
NgcKeyId: - ID of the Windows Hello key if one is set for the current logged on user.
CanReset: - Denotes if the Windows Hello key can be reset by the user.
Possible values: - DestructiveOnly, NonDestructiveOnly, DestructiveAndNonDestructive, or Unknown if error.
WorkplaceJoined: - Set to “YES” if Azure AD registered accounts have been added to the device in the
current NTUSER context.
WamDefaultSet: - Set to “YES” if a WAM default WebAccount is created for the logged in user. This field could
display an error if dsreg /status is run from an elevated command prompt.
WamDefaultAuthority: - Set to “organizations” for Azure AD.
WamDefaultId: - Always “https://login.microsoft.com” for Azure AD.
WamDefaultGUID: - The WAM provider’s (Azure AD/Microsoft account) GUID for the default WAM
WebAccount.
Sample user state output
+----------------------------------------------------------------------+
| User State |
+----------------------------------------------------------------------+
NgcSet : YES
NgcKeyId : {FA0DB076-A5D7-4844-82D8-50A2FB42EC7B}
CanReset : DestructiveAndNonDestructive
WorkplaceJoined : NO
WamDefaultSet : YES
WamDefaultAuthority : organizations
WamDefaultId : https://login.microsoft.com
WamDefaultGUID : { B16898C6-A148-4967-9171-64D755DA8520 } (AzureAd)
+----------------------------------------------------------------------+
SSO state
This section can be ignored for Azure AD registered devices.
NOTE
The command must run in a user context to retrieve valid status for that user.
AzureAdPr t: - Set to “YES” if a PRT is present on the device for the logged-on user.
AzureAdPr tUpdateTime: - Set to the time in UTC when the PRT was last updated.
AzureAdPr tExpir yTime: - Set to the time in UTC when the PRT is going to expire if it is not renewed.
AzureAdPr tAuthority: - Azure AD authority URL
EnterprisePr t: - Set to “YES” if the device has PRT from on-premises ADFS. For hybrid Azure AD joined
devices the device could have PRT from both Azure AD and on-premises AD simultaneously. On-premises
joined devices will only have an Enterprise PRT.
EnterprisePr tUpdateTime: - Set to the time in UTC when the Enterprise PRT was last updated.
EnterprisePr tExpir yTime: - Set to the time in UTC when the PRT is going to expire if it is not renewed.
EnterprisePr tAuthority: - ADFS authority URL
Sample SSO state output
+----------------------------------------------------------------------+
| SSO State |
+----------------------------------------------------------------------+
AzureAdPrt : YES
AzureAdPrtUpdateTime : 2019-01-24 19:15:26.000 UTC
AzureAdPrtExpiryTime : 2019-02-07 19:15:26.000 UTC
AzureAdPrtAuthority : https://login.microsoftonline.com/96fa76d0-xxxx-xxxx-xxxx-eb60cc22xxxx
EnterprisePrt : YES
EnterprisePrtUpdateTime : 2019-01-24 19:15:33.000 UTC
EnterprisePrtExpiryTime : 2019-02-07 19:15:33.000 UTC
EnterprisePrtAuthority : https://fs.hybridadfs.nttest.microsoft.com:443/adfs
+----------------------------------------------------------------------+
Diagnostic data
Pre -join diagnostics
This section is displayed only if the device is domain joined and is unable to hybrid Azure AD join.
This section performs various tests to help diagnose join failures. This section also includes the details of the
previous (?). This information includes the error phase, the error code, the server request ID, server response http
status, server response error message.
User Context: - The context in which the diagnostics are run. Possible values: SYSTEM, UN-ELEVATED User,
ELEVATED User.
NOTE
Since the actual join is performed in SYSTEM context, running the diagnostics in SYSTEM context is closest to the
actual join scenario. To run diagnostics in SYSTEM context, the dsregcmd /status command must be run from an
elevated command prompt.
Keyname: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ
Value: FallbackToSyncJoin
Type: REG_DWORD
Value: 0x0 -> Disabled
Value: 0x1 -> Enabled
Default (No Key): Enabled
Fallback to Sync-Join: - Set to “Enabled” if the above registry key, to prevent the fallback to sync join with
auth failures, is NOT present. This option is available from Windows 10 1803 and later.
Previous Registration: - Time the previous Join attempt occurred. Only failed Join attempts are logged.
Error Phase: - The stage of the join in which it was aborted. Possible values are pre-check, discover, auth, join.
Client ErrorCode: - Client error code returned (HRESULT).
Ser ver ErrorCode: - Server error code if a request was sent to the server and server responded back with an
error code.
Ser ver Message: - Server message returned along with the error code.
Https Status: - Http status returned by the server.
Request ID: - The client requestId sent to the server. Useful to correlate with server-side logs.
Sample pre -join diagnostics output
The following example shows diagnostics test failing with a discovery error.
+----------------------------------------------------------------------+
| Diagnostic Data |
+----------------------------------------------------------------------+
+----------------------------------------------------------------------+
The following example shows diagnostics tests are passing but the registration attempt failed with a directory
error, which is expected for sync join. Once the Azure AD Connect synchronization job completes, the device will
be able to join.
+----------------------------------------------------------------------+
| Diagnostic Data |
+----------------------------------------------------------------------+
+----------------------------------------------------------------------+
Post-join diagnostics
This section displays the output of sanity checks performed on a device joined to the cloud.
AadRecover yEnabled: - If “YES”, the keys stored in the device are not usable and the device is marked for
recovery. The next sign in will trigger the recovery flow and re-register the device.
KeySignTest: - If “PASSED” the device keys are in good health. If KeySignTest fails, the device will usually be
marked for recovery. The next sign in will trigger the recovery flow and re-register the device. For hybrid Azure
AD joined devices the recovery is silent. While Azure AD joined or Azure AD registered, devices will prompt for
user authentication to recover and re-register the device if necessary. The KeySignTest requires elevated
privileges.
Sample post-join diagnostics output
+----------------------------------------------------------------------+
| Diagnostic Data |
+----------------------------------------------------------------------+
AadRecoveryEnabled: NO
KeySignTest : PASSED
+----------------------------------------------------------------------+
NOTE
You may not see NGC pre-requisite check details in dsregcmd /status if the user already successfully configured WHFB.
IsDeviceJoined : YES
IsUserAzureAD : YES
PolicyEnabled : YES
PostLogonEnabled : YES
DeviceEligible : YES
SessionIsNotRemote : YES
CertEnrollment : enrollment authority
AdfsRefreshToken : YES
AdfsRaIsReady : YES
LogonCertTemplateReady : YES ( StateReady )
PreReqResult : WillProvision
+----------------------------------------------------------------------+
Next steps
For questions, see the device management FAQ
Troubleshooting hybrid Azure Active Directory
joined down-level devices
11/22/2019 • 4 minutes to read • Edit Online
Autoworkplace.exe is unable to silently authenticate with Azure AD or AD FS. This could be caused by
missing or misconfigured AD FS (for federated domains) or missing or misconfigured Azure AD
Seamless Single Sign-On (for managed domains) or network issues.
It could be that multi-factor authentication (MFA) is enabled/configured for the user and
WIAORMULTIAUTHN is not configured at the AD FS server.
Another possibility is that home realm discovery (HRD) page is waiting for user interaction, which
prevents autoworkplace.exe from silently requesting a token.
It could be that AD FS and Azure AD URLs are missing in IE's intranet zone on the client.
Network connectivity issues may be preventing autoworkplace.exe from reaching AD FS or the Azure
AD URLs.
Autoworkplace.exe requires the client to have direct line of sight from the client to the organization's
on-premises AD domain controller, which means that hybrid Azure AD join succeeds only when the
client is connected to organization's intranet.
Your organization uses Azure AD Seamless Single Sign-On, https://autologon.microsoftazuread-sso.com
or https://aadg.windows.net.nsatc.net are not present on the device's IE intranet settings, and Allow
updates to status bar via script is not enabled for the Intranet zone.
You are not signed on as a domain user
There are a few different reasons why this can occur:
The signed in user is not a domain user (for example, a local user). Hybrid Azure AD join on down-level
devices is supported only for domain users.
The client is not able to connect to a domain controller.
A quota has been reached
You can also find the status information in the event log under: Applications and Ser vices Log\Microsoft-
Workplace Join
The most common causes for a failed hybrid Azure AD join are:
Your computer is not connected to your organization’s internal network or to a VPN with a connection to your
on-premises AD domain controller.
You are logged on to your computer with a local computer account.
Service configuration issues:
The AD FS server has not been configured to support WIAORMULTIAUTHN .
Your computer's forest has no Service Connection Point object that points to your verified domain name
in Azure AD
Or if your domain is managed, then Seamless SSO was not configured or working.
A user has reached the limit of devices.
Next steps
For questions, see the device management FAQ
Troubleshooting Enterprise State Roaming settings in
Azure Active Directory
9/7/2020 • 9 minutes to read • Edit Online
This topic provides information on how to troubleshoot and diagnose issues with Enterprise State Roaming, and
provides a list of known issues.
NOTE
This article has been updated to use the new Azure PowerShell Az module. You can still use the AzureRM module, which will
continue to receive bug fixes until at least December 2020. To learn more about the new Az module and AzureRM
compatibility, see Introducing the new Azure PowerShell Az module. For Az module installation instructions, see Install Azure
PowerShell.
NOTE
This article applies to the Microsoft Edge Legacy HTML-based browser launched with Windows 10 in July 2015. The article
does not apply to the new Microsoft Edge Chromium-based browser released on January 15, 2020. For more information
on the Sync behavior for the new Microsoft Edge, see the article Microsoft Edge Sync.
Known issues
Sync does not work on devices that have apps side -loaded using MDM software
Affects devices running the Windows 10 Anniversary Update (Version 1607). In Event Viewer under the
SettingSync-Azure logs, the Event ID 6013 with error 80070259 is frequently seen.
Recommended action
Make sure the Windows 10 v1607 client has the August 23, 2016 Cumulative Update (KB3176934 OS Build
14393.82).
Theme is not syncing, as well as data protected with Windows Information Protection
To prevent data leakage, data that is protected with Windows Information Protection will not sync through
Enterprise State Roaming for devices using the Windows 10 Anniversary Update.
Recommended action
None. Future updates to Windows may resolve this issue.
Sync does not work on devices that use smart card for login
If you attempt to sign in to your Windows device using a smart card or virtual smart card, settings sync will stop
working.
Recommended action
None. Future updates to Windows may resolve this issue.
Azure AD Joined device is not syncing and the user has a mixed case User Principal Name.
If the user has a mixed case UPN (for example, UserName instead of username) and the user is on an Azure AD
Joined device, which has upgraded from Windows 10 Build 10586 to 14393, the user's device may fail to sync.
Recommended action
The user will need to unjoin and rejoin the device to the cloud. To do this, login as the Local Administrator user and
unjoin the device by going to Settings > System > About and select "Manage or disconnect from work or
school". Clean up the files below, and then Azure AD Join the device again in Settings > System > About and
selecting "Connect to Work or School". Continue to join the device to Azure Active Directory and complete the
flow.
In the cleanup step, clean up the following files:
Settings.dat in C:\Users\<Username>\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Settings\
All the files under the folder
C:\Users\<Username>\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\TokenBroker\Account
Event ID 6065: 80070533 This user can’t sign in because this account is currently disabled
In Event Viewer under the SettingSync/Debug logs, this error can be seen when the user's credentials have expired.
In addition, it can occur when the tenant did not automatically have AzureRMS provisioned.
Recommended action
In the first case, have the user update their credentials and login to the device with the new credentials. To solve
the AzureRMS issue, proceed with the steps listed in KB3193791.
Next steps
For an overview, see enterprise state roaming overview.
Azure Active Directory device management FAQ
9/7/2020 • 17 minutes to read • Edit Online
General FAQ
Q: I registered the device recently. Why can't I see the device under my user info in the Azure portal? Or why is
the device owner marked as N/A for hybrid Azure Active Directory (Azure AD) joined devices?
A: Windows 10 devices that are hybrid Azure AD joined don't show up under USER devices . Use the All devices
view in the Azure portal. You can also use a PowerShell Get-MsolDevice cmdlet.
Only the following devices are listed under USER devices :
All personal devices that aren't hybrid Azure AD joined.
All non-Windows 10 or Windows Server 2016 devices.
All non-Windows devices.
Q: How do I know what the device registration state of the client is?
A: In the Azure portal, go to All devices . Search for the device by using the device ID. Check the value under the
join type column. Sometimes, the device might be reset or reimaged. So it's essential to also check the device
registration state on the device:
For Windows 10 and Windows Server 2016 or later devices, run dsregcmd.exe /status .
For down-level OS versions, run %programFiles%\Microsoft Workplace Join\autoworkplace.exe .
A: For troubleshooting information, see these articles:
Troubleshooting devices using dsregcmd command
Troubleshooting hybrid Azure Active Directory joined Windows 10 and Windows Server 2016 devices
Troubleshooting hybrid Azure Active Directory joined down-level devices
Q: I see the device record under the USER info in the Azure portal. And I see the state as registered on the
device. Am I set up correctly to use Conditional Access?
A: The device join state, shown by deviceID , must match the state on Azure AD and meet any evaluation criteria
for Conditional Access. For more information, see Require managed devices for cloud app access with Conditional
Access.
Q: Why do my users see an error message saying "Your organization has deleted the device" or "Your
organization has disabled the device" on their Windows 10 devices?
A: On Windows 10 devices joined or registered with Azure AD, users are issued a Primary refresh token (PRT)
which enables single sign on. The validity of the PRT is based on the validity of the device itself. Users see this
message if the device is either deleted or disabled in Azure AD without initiating the action from the device itself. A
device can be deleted or disabled in Azure AD one of the following scenarios:
User disables the device from the My Apps portal.
An administrator (or user) deletes or disables the device in the Azure portal or by using PowerShell
Hybrid Azure AD joined only: An administrator removes the devices OU out of sync scope resulting in the
devices being deleted from Azure AD
Upgrading Azure AD connect to the version 1.4.xx.x. Understanding Azure AD Connect 1.4.xx.x and device
disappearance.
See below on how these actions can be rectified.
Q: I disabled or deleted my device in the Azure portal or by using Windows PowerShell. But the local state on
the device says it's still registered. What should I do?
A: This operation is by design. In this case, the device doesn't have access to resources in the cloud. Administrators
can perform this action for stale, lost, or stolen devices to prevent unauthorized access. If this action was
performed unintentionally, you'll need to re-enable or re-register the device as described below
If the device was disabled in Azure AD, an administrator with sufficient privileges can enable it from the
Azure AD portal
NOTE
If you are syncing devices using Azure AD Connect, hybrid Azure AD joined devices will be automatically re-enabled
during the next sync cycle. So, if you need to disable a hybrid Azure AD joined device, you need to disable it from
your on-premises AD
If the device is deleted in Azure AD, you need to re-register the device. To re-register, you must take a
manual action on the device. See below for instructions for re-registration based on the device state.
To re-register hybrid Azure AD joined Windows 10 and Windows Server 2016/2019 devices, take the
following steps:
1. Open the command prompt as an administrator.
2. Enter dsregcmd.exe /debug /leave .
3. Sign out and sign in to trigger the scheduled task that registers the device again with Azure AD.
For down-level Windows OS versions that are hybrid Azure AD joined, take the following steps:
1. Open the command prompt as an administrator.
2. Enter "%programFiles%\Microsoft Workplace Join\autoworkplace.exe /l" .
3. Enter "%programFiles%\Microsoft Workplace Join\autoworkplace.exe /j" .
For Azure AD joined devices Windows 10 devices, take the following steps:
1. Open the command prompt as an administrator
2. Enter dsregcmd /forcerecovery (Note: You need to be an administrator to perform this action).
3. Click "Sign in" in the dialog that opens up and continue with the sign in process.
4. Sign out and sign in back to the device to complete the recovery.
For Azure AD registered Windows 10 devices, take the following steps:
1. Go to Settings > Accounts > Access Work or School .
2. Select the account and select Disconnect .
3. Click on "+ Connect" and register the device again by going through the sign in process.
Q: Why can a user still access resources from a device I disabled in the Azure por tal?
A: It takes up to an hour for a revoke to be applied from the time the Azure AD device is marked as disabled.
NOTE
For enrolled devices, we recommend that you wipe the device to make sure users can't access the resources. For more
information, see What is device enrollment?.
Q: Why are there devices marked as "Pending" under the REGISTERED column in the Azure portal?
A : Pending indicates that the device is not registered. This state indicates that a device has been synchronized
using Azure AD connect from an on-premises AD and is ready for device registration. These devices have the JOIN
TYPE set to "Hybrid Azure AD joined". Learn more on how to plan your hybrid Azure Active Directory join
implementation.
NOTE
A device can also change from having a registered state to "Pending"
If a device is deleted from Azure AD first and re-synchronized from an on-premises AD.
If a device is removed from a sync scope on Azure AD Connect and added back.
In both cases, you must re-register the device manually on each of these devices. To review whether the device was
previously registered, you can troubleshoot devices using the dsregcmd command.
Q: Can my users' sign in to Azure AD joined devices that are deleted or disabled in Azure AD?
A: Yes. Windows has a cached username and password capability that allows users who signed in previously to
access the desktop quickly even without network connectivity.
When a device is deleted or disabled in Azure AD, it's not known to the Windows device. So users who signed in
previously continue to access the desktop with the cached username and password. But as the device is deleted or
disabled, users can't access any resources protected by device-based Conditional Access.
Users who didn't sign in previously can't access the device. There's no cached username and password enabled for
them.
Q: Why do my users have issues on Azure AD joined devices after changing their UPN?
A: Currently, UPN changes are not fully supported on Azure AD joined devices. So their authentication with Azure
AD fails after their UPN changes. As a result, users have SSO and Conditional Access issues on their devices. At
this time, users need to sign in to Windows through the "Other user" tile using their new UPN to resolve this issue.
We are currently working on addressing this issue. However, users signing in with Windows Hello for Business do
not face this issue.
UPN changes are supported with Windows 10 2004 update. Users on devices with this update will not have any
issues after changing their UPNs
Q: My users can't search printers from Azure AD joined devices. How can I enable printing from those devices?
A: To deploy printers for Azure AD joined devices, see Deploy Windows Server Hybrid Cloud Print with Pre-
Authentication. You need an on-premises Windows Server to deploy hybrid cloud print. Currently, cloud-based
print service isn't available.
Q: Why don't some of my users get Azure Multi-Factor Authentication prompts on Azure AD joined devices?
A: A user might join or register a device with Azure AD by using Multi-Factor Authentication. Then the device itself
becomes a trusted second factor for that user. Whenever the same user signs in to the device and accesses an
application, Azure AD considers the device as a second factor. It enables that user to seamlessly access applications
without additional Multi-Factor Authentication prompts.
This behavior:
Is applicable to Azure AD joined and Azure AD registered devices - but not for hybrid Azure AD joined devices.
Isn't applicable to any other user who signs in to that device. So all other users who access that device get a
Multi-Factor Authentication challenge. Then they can access applications that require Multi-Factor
Authentication.
Q: Why do I get a username or password is incorrect message for a device I just joined to Azure AD?
A: Common reasons for this scenario are as follows:
Your user credentials are no longer valid.
Your computer can't communicate with Azure Active Directory. Check for any network connectivity issues.
Federated sign-ins require your federation server to support WS-Trust endpoints that are enabled and
accessible.
You enabled pass-through authentication. So your temporary password needs to be changed when you sign in.
Q: Why do I see the Oops… an error occurred! dialog when I try to Azure AD join my PC?
A: This error happens when you set up Azure Active Directory enrollment with Intune. Make sure that the user
who tries to Azure AD join has the correct Intune license assigned. For more information, see Set up enrollment
for Windows devices.
Q: Why did my attempt to Azure AD join a PC fail, although I didn't get any error information?
A: A likely cause is that you signed in to the device by using the local built-in administrator account. Create a
different local account before you use Azure Active Directory join to finish the setup.
Q: Where can I find troubleshooting information to diagnose hybrid Azure AD join failures?
A: For troubleshooting information, see these articles:
Troubleshooting hybrid Azure Active Directory joined Windows 10 and Windows Server 2016 devices
Troubleshooting hybrid Azure Active Directory joined down-level devices
Q: Why do I see a duplicate Azure AD registered record for my Windows 10 hybrid Azure AD joined device in
the Azure AD devices list?
A: When your users add their accounts to apps on a domain-joined device, they might be prompted with Add
account to Windows? If they enter Yes on the prompt, the device registers with Azure AD. The trust type is
marked as Azure AD registered. After you enable hybrid Azure AD join in your organization, the device also gets
hybrid Azure AD joined. Then two device states show up for the same device.
Hybrid Azure AD join takes precedence over the Azure AD registered state. So your device is considered hybrid
Azure AD joined for any authentication and Conditional Access evaluation. You can safely delete the Azure AD
registered device record from the Azure AD portal. Learn to avoid or clean up this dual state on the Windows 10
machine.
Q: Why do my users have issues on Windows 10 hybrid Azure AD joined devices after changing their UPN?
A: Currently UPN changes are not fully supported with hybrid Azure AD joined devices. While users can sign in to
the device and access their on-premises applications, authentication with Azure AD fails after a UPN change. As a
result, users have SSO and Conditional Access issues on their devices. At this time, you need to unjoin the device
from Azure AD (run "dsregcmd /leave" with elevated privileges) and rejoin (happens automatically) to resolve the
issue. We are currently working on addressing this issue. However, users signing in with Windows Hello for
Business do not face this issue.
UPN changes are supported with Windows 10 2004 update. Users on devices with this update will not have any
issues after changing their UPNs
Q: Do Windows 10 hybrid Azure AD joined devices require line of sight to the domain controller to get access
to cloud resources?
A: No, except when the user's password is changed. After Windows 10 hybrid Azure AD join is complete, and the
user has signed in at least once, the device doesn't require line of sight to the domain controller to access cloud
resources. Windows 10 can get single sign-on to Azure AD applications from anywhere with an internet
connection, except when a password is changed. Users who sign in with Windows Hello for Business continue to
get single sign-on to Azure AD applications even after a password change, even if they don't have line of sight to
their domain controller.
Q: What happens if a user changes their password and tries to login to their Windows 10 hybrid Azure AD
joined device outside the corporate network?
A: If a password is changed outside the corporate network (for example, by using Azure AD SSPR), then the user
sign in with the new password will fail. For hybrid Azure AD joined devices, on-premises Active Directory is the
primary authority. When a device does not have line of sight to the domain controller, it is unable to validate the
new password. So, user needs to establish connection with the domain controller (either via VPN or being in the
corporate network) before they're able to sign in to the device with their new password. Otherwise, they can only
sign in with their old password because of cached sign in capability in Windows. However, the old password is
invalidated by Azure AD during token requests and hence, prevents single sign-on and fails any device-based
Conditional Access policies. This issue doesn't occur if you use Windows Hello for Business.
Q: How can I block users from adding additional work accounts (Azure AD registered) on my corporate
Windows 10 devices?
A: Enable the following registry to block your users from adding additional work accounts to your corporate
domain joined, Azure AD joined, or hybrid Azure AD joined Windows 10 devices. This policy can also be used to
block domain joined machines from inadvertently getting Azure AD registered with the same user account.
HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin, "BlockAADWorkplaceJoin"=dword:00000001
Next steps
Learn more about Azure AD registered devices
Learn more about Azure AD joined devices
Learn more about hybrid Azure AD joined devices
Settings and data roaming FAQ
9/7/2020 • 10 minutes to read • Edit Online
This article answers some questions IT administrators might have about settings and app data sync.
NOTE
This article applies to the Microsoft Edge Legacy HTML-based browser launched with Windows 10 in July 2015. The article
does not apply to the new Microsoft Edge Chromium-based browser released on January 15, 2020. For more information
on the Sync behavior for the new Microsoft Edge, see the article Microsoft Edge Sync.
Application data : Universal Windows apps can write settings data to a roaming folder, and any data written to
this folder will automatically be synced. It’s up to the individual app developer to design an app to take advantage
of this capability. For more information about how to develop a Universal Windows app that uses roaming, see the
appdata storage API and the Windows 8 appdata roaming developer blog.
NOTE
Windows 10 devices that are enterprise-owned and are connected to Azure AD can no longer connect their Microsoft
accounts to a domain account. The ability to connect a Microsoft account to a domain account and have all the user's data
sync to the Microsoft account (that is, the Microsoft account roaming via the connected Microsoft account and Active
Directory functionality) is removed from Windows 10 devices that are joined to a connected Active Directory or Azure AD
environment.
What are the roaming settings options for existing Windows desktop
applications?
Roaming only works for Universal Windows apps. There are two options available for enabling roaming on an
existing Windows desktop application:
The Desktop Bridge helps you bring your existing Windows desktop apps to the Universal Windows Platform.
From here, minimal code changes will be required to take advantage of Azure AD app data roaming. The
Desktop Bridge provides your apps with an app identity, which is needed to enable app data roaming for
existing desktop apps.
User Experience Virtualization (UE-V) helps you create a custom settings template for existing Windows
desktop apps and enable roaming for Win32 apps. This option does not require the app developer to change
code of the app. UE-V is limited to on-premises Active Directory roaming for customers who have purchased
the Microsoft Desktop Optimization Pack.
Administrators can configure UE-V to roam Windows desktop app data by changing roaming of Windows OS
settings and Universal app data through UE-V group policies, including:
Roam Windows settings group policy
Do not synchronize Windows Apps group policy
Internet Explorer roaming in the applications section
In the future, Microsoft may investigate ways to make UE-V deeply integrated into Windows and extend UE-V to
roam settings through the Azure AD cloud.
Known issues
See the documentation in the troubleshooting section for a list of known issues.
Next steps
For an overview, see enterprise state roaming overview
Enforce TLS 1.2 for the Azure AD Registration Service
9/7/2020 • 2 minutes to read • Edit Online
The Azure Active Directory (Azure AD) Device Registration Service is used to connect devices to the cloud with a
device identity. The Azure AD Device Registration Service currently supports using Transport Layer Security (TLS)
1.2 for communications with Azure. To ensure security and best-in-class encryption, Microsoft recommends
disabling TLS 1.0 and 1.1. This document will provide information on how to ensure machines used to complete
registration and communicate with the Azure AD Device Registration Service use TLS 1.2.
The TLS protocol version 1.2 is a cryptography protocol that is designed to provide secure communications. The
TLS protocol aims primarily to provide privacy and data integrity. TLS has gone through many iterations with
version 1.2 being defined in RFC 5246 (external link).
Current analysis of connections shows little TLS 1.1 and 1.0 usage, but we are providing this information so that
you can update any affected clients or servers as necessary before support for TLS 1.1 and 1.0 ends. If you are
using any on-premises infrastructure for hybrid scenarios or Active Directory Federation Services (AD FS), make
sure that the infrastructure can support both inbound and outbound connections that use TLS 1.2.
IMPORTANT
After you have updated the registry, you must restart the Windows server for the changes to take effect.
Update AD FS servers
Any AD FS servers used to communicate with the Azure AD Device Registration Service must ensure that TLS 1.2 is
enabled. See Managing SSL/TLS Protocols and Cipher Suites for AD FS for information on how to enable/verify this
configuration.
Client updates
Since all client-server and browser-server combinations must use TLS 1.2 to connect with the Azure AD Device
Registration Service, you may need to update these devices.
The following clients are known to be unable to support TLS 1.2. Update your clients to ensure uninterrupted
access.
Android version 4.3 and earlier
Firefox version 5.0 and earlier
Internet Explorer versions 8-10 on Windows 7 and earlier
Internet Explorer 10 on Windows Phone 8.0
Safari version 6.0.4 on OS X 10.8.4 and earlier
Next steps
TLS/SSL overview (Schannel SSP)
Group Policy and MDM settings
9/7/2020 • 2 minutes to read • Edit Online
Use these group policy and mobile device management (MDM) settings only on corporate-owned devices because
these policies are applied to the user’s entire device. Applying an MDM policy to disable settings sync for a
personal, user-owned device will negatively impact the use of that device. Additionally, other user accounts on the
device will also be affected by the policy.
Enterprises that want to manage roaming for personal (unmanaged) devices can use the Azure portal to enable or
disable roaming, rather than using Group Policy or MDM. The following tables describe the policy settings
available.
NOTE
This article applies to the Microsoft Edge Legacy HTML-based browser launched with Windows 10 in July 2015. The article
does not apply to the new Microsoft Edge Chromium-based browser released on January 15, 2020. For more information
on the Sync behavior for the new Microsoft Edge, see the article Microsoft Edge Sync.
MDM settings
The MDM policy settings apply to both Windows 10 and Windows 10 Mobile. Windows 10 Mobile support exists
only for Microsoft account based roaming via user’s OneDrive account. Refer to Devices and endpoints for details
on what devices are supported for Azure AD-based syncing.
Allow Microsoft Account Connection Allows users to authenticate using a Microsoft account on the
device
Allow Sync My Settings Allows users to roam Windows settings and app data;
Disabling this policy will disable sync as well as backups on
mobile devices
Accounts: Block Microsoft Accounts This policy setting prevents users from adding new Microsoft
accounts on this computer
Do not sync Prevents users to roam Windows settings and app data
Do not sync browser settings Disables syncing of the Internet Explorer group
Do not sync other Windows settings Disables syncing of Other Windows settings group
Do not sync on metered connections Disables roaming on metered connections, such as cellular 3G
Next steps
For an overview, see enterprise State Roaming overview.
Windows 10 roaming settings reference
9/7/2020 • 8 minutes to read • Edit Online
The following is a list of the settings that will be roamed or backed up in Windows 10.
A C C O UN T T Y P E A N D O P ERAT IO N DESK TO P M O B IL E
What is backup?
Windows settings generally sync by default, but some settings are only backed up, such as the list of installed
applications on a device. Backup is for mobile devices only and currently not available for Enterprise State
Roaming users. Backup uses a Microsoft account and stores the settings and application data into OneDrive. If a
user disables sync on the device using the Settings app, application data that normally syncs becomes backup only.
Backup data can only be accessed through the restore operation during the first run experience of a new device.
Backups can be disabled via the device settings, and can be managed and deleted through the user’s OneDrive
account.
Microsoft Edge browser setting group (favorites, reading list) syncing can be enabled or disabled by end users
through Microsoft Edge browser Settings menu option.
For Windows 10 version 1803 or later, Internet Explorer setting group (favorites, typed URLs) syncing can be
enabled or disabled by end users through Internet Explorer Settings menu option.
Windows Settings details
In the following table, Other entries in the Settings Group column refer to settings that can be disabled by going to
Settings > Accounts > Sync your settings > Other Windows settings.
Internal entries in the Settings Group column refer to settings and apps that can only be disabled from syncing
within the app itself or by disabling sync for the entire device using mobile device management (MDM) or Group
Policy settings. Settings that don't roam or sync will not belong to a group.
Next steps
For an overview, see enterprise state roaming overview.
What's new in Azure Active Directory?
9/7/2020 • 53 minutes to read • Edit Online
Get notified about when to revisit this page for updates by copying and pasting this URL:
https://docs.microsoft.com/api/search/rss?search=%22Release+notes+-+Azure+Active+Directory%22&locale=en-us
into your feed reader.
Azure AD receives improvements on an ongoing basis. To stay up to date with the most recent developments, this
article provides you with information about:
The latest releases
Known issues
Bug fixes
Deprecated functionality
Plans for changes
This page is updated monthly, so revisit it regularly. If you're looking for items older than six months, you can find
them in Archive for What's new in Azure Active Directory.
August 2020
Updates to Azure Multi-Factor Authentication Server firewall requirements
Type: Plan for change
Ser vice categor y: MFA
Product capability: Identity Security & Protection
Starting 1 October 2020, Azure MFA Server firewall requirements will require additional IP ranges.
If you have outbound firewall rules in your organization, update the rules so that your MFA servers can
communicate with all the necessary IP ranges. The IP ranges are documented in Azure Multi-Factor Authentication
Server firewall requirements.
Application Admin and Cloud Application Admin can manage extension properties of applications
Type: Changed feature
Ser vice categor y: Azure AD roles
Product capability: Access Control
Previously, only the Global Administrator could manage the extension property. We're now enabling this capability
for the Application Administrator and Cloud Application Administrator as well.
July 2020
As an IT Admin, I want to target client apps using Conditional Access
Type: Plan for change
Ser vice categor y: Conditional Access
Product capability: Identity Security & Protection
With the GA release of the client apps condition in Conditional Access, new policies will now apply by default to all
client applications. This includes legacy authentication clients. Existing policies will remain unchanged, but the
Configure Yes/No toggle will be removed from existing policies to easily see which client apps are applied to by the
policy.
When creating a new policy, make sure to exclude users and service accounts that are still using legacy
authentication; if you don't, they will be blocked. Learn more.
Azure Active Directory Registration Service is ending support for TLS 1.0 and 1.1
Type: Plan for change
Ser vice categor y: Device Registration and Management
Product capability: Platform
Transport layer security (TLS) 1.2 and update servers and clients will soon communicate with Azure Active
Directory Device Registration Service. Support for TLS 1.0 and 1.1 for communication with Azure AD Device
Registration service will retire:
On August 31, 2020, in all sovereign clouds (GCC High, DoD, etc.)
On October 30, 2020, in all commercial clouds
Learn more about TLS 1.2 for the Azure AD Registration Service.
Windows Hello for Business Sign Ins visible in Azure AD Sign In Logs
Type: Fixed
Ser vice categor y: Reporting
Product capability: Monitoring & Reporting
Windows Hello for Business allows end-users to sign into Windows machines with a gesture (such as a PIN or
biometric). Azure AD admins may want to differentiate Windows Hello for Business sign-ins from other Windows
sign-ins as part of an organization's journey to passwordless authentication.
Admins can now see whether a Windows authentication used Windows Hello for Business by checking the
Authentication Details tab for a Windows sign-in event in the Azure AD Sign-Ins blade in the Azure Portal. Windows
Hello for Business authentications will include "WindowsHelloForBusiness" in the Authentication Method field. For
more information on interpreting Sign-In Logs, please see the Sign-In Logs documentation.
Public Preview: Admins can now add custom content in the email to reviewers when creating an access review
Type: New feature
Ser vice categor y: Access Reviews
Product capability: Identity Governance
When a new access review is created, the reviewer receives an email requesting them to complete the access
review. Many of our customers asked for the ability to add custom content to the email, such as contact
information, or other additional supporting content to guide the reviewer.
Now available in public preview, administrators can specify custom content in the email sent to reviewers by
adding content in the "advanced" section of Azure AD Access Reviews. For guidance on creating access reviews, see
Create an access review of groups and applications in Azure AD access reviews.
Azure AD Application Proxy now supports the Remote Desktop Services Web Client
Type: New feature
Ser vice categor y: App Proxy
Product capability: Access Control
Azure AD Application Proxy now supports the Remote Desktop Services (RDS) Web Client. The RDS web client
allows users to access Remote Desktop infrastructure through any HTLM5-capable browser such as Microsoft Edge,
Internet Explorer 11, Google Chrome, etc. Users can interact with remote apps or desktops like they would with a
local device from anywhere. By using Azure AD Application Proxy you can increase the security of your RDS
deployment by enforcing pre-authentication and Conditional Access policies for all types of rich client apps. For
guidance, see Publish Remote Desktop with Azure AD Application Proxy.
View role assignments across all scopes and ability to download them to a csv file
Type: Changed feature
Ser vice categor y: Azure AD roles
Product capability: Access Control
You can now view role assignments across all scopes for a role in the "Roles and administrators" tab in the Azure
AD portal. You can also download those role assignments for each role into a CSV file. For guidance on viewing and
adding role assignments, see View and assign administrator roles in Azure Active Directory.
June 2020
User risk condition in Conditional Access policy
Type: Plan for change
Ser vice categor y: Conditional Access
Product capability: Identity Security & Protection
User risk support in Azure AD Conditional Access policy allows you to create multiple user risk-based policies.
Different minimum user risk levels can be required for different users and apps. Based on user risk, you can create
policies to block access, require multi-factor authentication, secure password change, or redirect to Microsoft Cloud
App Security to enforce session policy, such as additional auditing.
The user risk condition requires Azure AD Premium P2 because it uses Azure Identity Protection, which is a P2
offering. for more information about conditional access, refer to Azure AD Conditional Access documentation.
SAML SSO now supports apps that require SPNameQualifier to be set when requested
Type: Fixed
Ser vice categor y: Enterprise Apps
Product capability: SSO
Some SAML applications require SPNameQualifier to be returned in the assertion subject when requested. Now
Azure AD responds correctly when a SPNameQualifier is requested in the request NameID policy. This also works
for SP initiated sign-in, and IdP initiated sign-in will follow. To learn more about SAML protocol in Azure Active
Directory, see Single Sign-On SAML protocol.
Azure AD B2B Collaboration supports inviting MSA and Google users in Azure Government tenants
Type: New feature
Ser vice categor y: B2B
Product capability: B2B/B2C
Azure Government tenants using the B2B collaboration features can now invite users that have a Microsoft or
Google account. To find out if your tenant can use these capabilities, follow the instructions at How can I tell if B2B
collaboration is available in my Azure US Government tenant?
API connectors for External Identities self-service sign-up are now in public preview
Type: New feature
Ser vice categor y: B2B
Product capability: B2B/B2C
External Identities API connectors enable you to leverage web APIs to integrate self-service sign-up with external
cloud systems. This means you can now invoke web APIs as specific steps in a sign-up flow to trigger cloud-based
custom workflows. For example, you can use API connectors to:
Integrate with a custom approval workflows.
Perform identity proofing
Validate user input data
Overwrite user attributes
Run custom business logic
For more information about all of the experiences possible with API connectors, see Use API connectors to
customize and extend self-service sign-up, or Customize External Identities self-service sign-up with web API
integrations.
Provision on-demand and get users into your apps in seconds
Type: New feature
Ser vice categor y: App Provisioning
Product capability: Identity Lifecycle Management
The Azure AD provisioning service currently operates on a cyclic basis. The service runs every 40 mins. The on-
demand provisioning capability allows you to pick a user and provision them in seconds. This capability allows you
to quickly troubleshoot provisioning issues, without having to do a restart to force the provisioning cycle to start
again.
Sensitivity labels to apply policies to Microsoft 365 groups is now generally available
Type: New feature
Ser vice categor y: Group Management
Product capability: Collaboration
You can now create sensitivity labels and use the label settings to apply policies to Microsoft 365 groups, including
privacy (Public or Private) and external user access policy. You can create a label with the privacy policy to be
Private, and external user access policy to not allow to add guest users. When a user applies this label to a group,
the group will be private, and no guest users are allowed to be added to the group.
Sensitivity labels are important to protect your business-critical data and enable you to manage groups at scale, in
a compliant and secure fashion. For guidance on using sensitivity labels, refer to Assign sensitivity labels to Office
365 groups in Azure Active Directory (preview).
Updates to support for Microsoft Identity Manager for Azure AD Premium customers
Type: Changed feature
Ser vice categor y: Microsoft Identity Manager
Product capability: Identity Lifecycle Management
Azure Support is now available for Azure AD integration components of Microsoft Identity Manager 2016, through
the end of Extended Support for Microsoft Identity Manager 2016. Read more at Support update for Azure AD
Premium customers using Microsoft Identity Manager.
Enabling basic formatting on the Sign In Page Text component in Company Branding.
Type: Changed feature
Ser vice categor y: Authentications (Logins)
Product capability: User Authentication
The Company Branding functionality on the Azure AD/Microsoft 365 login experience has been updated to allow
the customer to add hyperlinks and simple formatting, including bold font, underline, and italics. For guidance on
using this functionality, see Add branding to your organization's Azure Active Directory sign-in page.
May 2020
Retirement of properties in signIns, riskyUsers, and riskDetections APIs
Type: Plan for change
Ser vice categor y: Identity Protection
Product capability: Identity Security & Protection
Currently, enumerated types are used to represent the riskType property in both the riskDetections API and
riskyUserHistoryItem (in preview). Enumerated types are also used for the riskEventTypes property in the signIns
API. Going forward we will represent these properties as strings.
Customers should transition to the riskEventType property in the beta riskDetections and riskyUserHistoryItem API,
and to riskEventTypes_v2 property in the beta signIns API by September 9th, 2020. At that date, we will be retiring
the current riskType and riskEventTypes properties. For more information, refer to Changes to risk event properties
and Identity Protection APIs on Microsoft Graph.
New self-service sign up for users in federated domains who can't access Microsoft Teams because they aren't
synced to Azure Active Directory.
Type: Plan for change
Ser vice categor y: Authentications (Logins)
Product capability: User Authentication
Currently, users who are in domains federated in Azure AD, but who are not synced into the tenant, can't access
Teams. Starting at the end of June, this new capability will enable them to do so by extending the existing email
verified sign up feature. This will allow users who can sign in to a federated IdP, but who don't yet have a user object
in Azure ID, to have a user object created automatically and be authenticated for Teams. Their user object will be
marked as "self-service sign up." This is an extension of the existing capability to do email verified self-sign up that
users in managed domains can do and can be controlled using the same flag. This change will complete rolling out
during the following two months. Watch for documentation updates here.
Upcoming fix: The OIDC discovery document for the Azure Government cloud is being updated to reference
the correct Graph endpoints.
Type: Plan for change
Ser vice categor y: Sovereign Clouds
Product capability: User Authentication
Starting in June, the OIDC discovery document Microsoft identity platform and OpenID Connect protocol on the
Azure Government cloud endpoint (login.microsoftonline.us), will begin to return the correct National cloud graph
endpoint (https://graph.microsoft.us or https://dod-graph.microsoft.us), based on the tenant provided. It currently
provides the incorrect Graph endpoint (graph.microsoft.com) "msgraph_host" field.
This bug fix will be rolled out gradually over approximately 2 months.
SAML Single Logout request now sends NameID in the correct format
Type: Fixed
Ser vice categor y: Authentications (Logins)
Product capability: User Authentication
When a user clicks on sign-out (e.g., in the MyApps portal), Azure AD sends a SAML Single Logout message to each
app that is active in the user session and has a Logout URL configured. These messages contain a NameID in a
persistent format.
If the original SAML sign-in token used a different format for NameID (e.g. email/UPN), then the SAML app cannot
correlate the NameID in the logout message to an existing session (as the NameIDs used in both messages are
different), which caused the logout message to be discarded by the SAML app and the user to stay logged in. This
fix makes the sign-out message consistent with the NameID configured for the application.
New query capabilities for Directory Objects in Microsoft Graph are in Public Preview
Type: New feature
Ser vice categor y: MS Graph Product capability: Developer Experience
New capabilities are being introduced for Microsoft Graph Directory Objects APIs, enabling Count, Search, Filter,
and Sort operations. This will give developers the ability to quickly query our Directory Objects without
workarounds such as in-memory filtering and sorting. Find out more in this blog post.
We are currently in Public Preview, looking for feedback. Please send your comments with this brief survey.
Configure SAML -based single sign-on using Microsoft Graph API (Beta)
Type: New feature
Ser vice categor y: Enterprise Apps
Product capability: SSO
Support for creating and configuring an application from the Azure AD Gallery using MS Graph APIs in Beta is now
available. If you need to set up SAML-based single sign-on for multiple instances of an application, save time by
using the Microsoft Graph APIs to automate the configuration of SAML-based single sign-on.
The new App registrations experience for Azure AD B2C is now generally available
Type: Changed Feature
Ser vice categor y: B2C - Consumer Identity Management
Product capability: Identity Lifecycle Management
The new App registrations experience for Azure AD B2C is now generally available.
Previously, you had to manage your B2C consumer-facing applications separately from the rest of your apps using
the legacy 'Applications' experience. That meant different app creation experiences across different places in Azure.
The new experience shows all B2C app registrations and Azure AD app registrations in one place and provides a
consistent way to manage them. Whether you need to manage a customer-facing app or an app that has access to
Microsoft Graph to programmatically manage Azure AD B2C resources, you only need to learn one way to do
things.
You can reach the new experience by navigating the Azure AD B2C service and selecting the App registrations
blade. The experience is also accessible from the Azure Active Directory service.
The Azure AD B2C App registrations experience is based on the general App Registration experience for Azure AD
tenants but is tailored for Azure AD B2C. The legacy "Applications" experience will be deprecated in the future.
For more information, visit The New app registration experience for Azure AD B2C.
April 2020
Combined security info registration experience is now generally available
Type: New feature
Ser vice categor y: Authentications (Logins)
Product capability: Identity Security & Protection
The combined registration experience for Multi-Factor Authentication (MFA) and Self-Service Password Reset
(SSPR) is now generally available. This new registration experience enables users to register for MFA and SSPR in a
single, step-by-step process. When you deploy the new experience for your organization, users can register in less
time and with fewer hassles. Check out the blog post here.
SMS Sign-in: Firstline Workers can sign in to Azure AD-backed applications with their phone number and no
password
Type: New feature
Ser vice categor y: Authentications (Logins)
Product capability: User Authentication
Office is launching a series of mobile-first business apps that cater to non-traditional organizations, and to
employees in large organizations that don’t use email as their primary communication method. These apps target
frontline employees, deskless workers, field agents, or retail employees that may not get an email address from
their employer, have access to a computer, or to IT. This project will let these employees sign in to business
applications by entering a phone number and roundtripping a code. For more details, please see our admin
documentation and end user documentation.
Microsoft Graph delta query support for oAuth2PermissionGrant available for Public Preview
Type: New feature
Ser vice categor y: MS Graph
Product capability: Developer Experience
Delta query for oAuth2PermissionGrant is available for public preview! You can now track changes without having
to continuously poll Microsoft Graph. Learn more.
Microsoft Graph delta query support for organizational contact generally available
Type: New feature
Ser vice categor y: MS Graph
Product capability: Developer Experience
Delta query for organizational contacts is generally available! You can now track changes in production apps
without having to continuously poll Microsoft Graph. Replace any existing code that continuously polls orgContact
data by delta query to significantly improve performance. Learn more.
Microsoft Graph delta query support for administrative units available for Public Preview
Type: New feature
Ser vice categor y: MS Graph
Product capability: Developer Experience Delta query for administrative units is available for public preview! You
can now track changes without having to continuously poll Microsoft Graph. Learn more.
Manage authentication phone numbers and more in new Microsoft Graph beta APIs
Type: New feature
Ser vice categor y: MS Graph
Product capability: Developer Experience
These APIs are a key tool for managing your users’ authentication methods. Now you can programmatically pre-
register and manage the authenticators used for MFA and self-service password reset (SSPR). This has been one of
the most-requested features in the Azure MFA, SSPR, and Microsoft Graph spaces. The new APIs we’ve released in
this wave give you the ability to:
Read, add, update, and remove a user’s authentication phones
Reset a user’s password
Turn on and off SMS-sign-in
For more information, see Azure AD authentication methods API overview.
Administrative Units Public Preview
Type: New feature
Ser vice categor y: Azure AD roles
Product capability: Access Control
Administrative units allow you to grant admin permissions that are restricted to a department, region, or other
segment of your organization that you define. You can use administrative units to delegate permissions to regional
administrators or to set policy at a granular level. For example, a User account admin could update profile
information, reset passwords, and assign licenses for users only in their administrative unit.
Using administrative units, a central administrator could:
Create an administrative unit for decentralized management of resources
Assign a role with administrative permissions over only Azure AD users in an administrative unit
Populate the administrative units with users and groups as needed
For more information, see Administrative units management in Azure Active Directory (preview).
Users with default access role are now in scope for provisioning
Type: Changed feature
Ser vice categor y: App Provisioning
Product capability: Identity Lifecycle Management
Historically, users with the default access role have been out of scope for provisioning. We've heard feedback that
customers want users with this role to be in scope for provisioning. As of April 16, 2020, all new provisioning
configurations allow users with the default access role to be provisioned. Gradually we will change the behavior for
existing provisioning configurations to support provisioning users with this role. Learn more.
Updated provisioning UI
Type: Changed feature
Ser vice categor y: App Provisioning
Product capability: Identity Lifecycle Management
We've refreshed our provisioning experience to create a more focused management view. When you navigate to
the provisioning blade for an enterprise application that has already been configured, you'll be able to easily
monitor the progress of provisioning and manage actions such as starting, stopping, and restarting provisioning.
Learn more.
Identity Secure Score - Security Defaults and MFA improvement action updates
Type: Changed feature
Ser vice categor y: N/A
Product capability: Identity Security & Protection
Suppor ting security defaults for Azure AD improvement actions: Microsoft Secure Score will be updating
improvement actions to support security defaults in Azure AD, which make it easier to help protect your
organization with pre-configured security settings for common attacks. This will affect the following improvement
actions:
Ensure all users can complete multi-factor authentication for secure access
Require MFA for administrative roles
Enable policy to block legacy authentication
MFA improvement action updates: To reflect the need for businesses to ensure the upmost security while
applying policies that work with their business, Microsoft Secure Score has removed three improvement actions
centered around multi-factor authentication and added two.
Removed improvement actions:
Register all users for multi-factor authentication
Require MFA for all users
Require MFA for Azure AD privileged roles
Added improvement actions:
Ensure all users can complete multi-factor authentication for secure access
Require MFA for administrative roles
These new improvement actions require registering your users or admins for multi-factor authentication (MFA)
across your directory and establishing the right set of policies that fit your organizational needs. The main goal is to
have flexibility while ensuring all your users and admins can authenticate with multiple factors or risk-based
identity verification prompts. That can take the form of having multiple policies that apply scoped decisions, or
setting security defaults (as of March 16th) that let Microsoft decide when to challenge users for MFA. Read more
about what's new in Microsoft Secure Score.
March 2020
Unmanaged Azure Active Directory accounts in B2B update for March, 2021
Type: Plan for change
Ser vice categor y: B2B
Product capability: B2B/B2C
Beginning on March 31, 2021 , Microsoft will no longer support the redemption of invitations by creating
unmanaged Azure Active Directory (Azure AD) accounts and tenants for B2B collaboration scenarios. In preparation
for this, we encourage you to opt in to email one-time passcode authentication.
Users with the default access role will be in scope for provisioning
Type: Plan for change
Ser vice categor y: App Provisioning
Product capability: Identity Lifecycle Management
Historically, users with the default access role have been out of scope for provisioning. We've heard feedback that
customers want users with this role to be in scope for provisioning. We're working on deploying a change so that
all new provisioning configurations will allow users with the default access role to be provisioned. Gradually, we'll
change the behavior for existing provisioning configurations to support provisioning users with this role. No
customer action is required. We'll post an update to our documentation once this change is in place.
Azure AD B2B collaboration will be available in Microsoft Azure operated by 21Vianet (Azure China 21Vianet)
tenants
Type: Plan for change
Ser vice categor y: B2B
Product capability: B2B/B2C
The Azure AD B2B collaboration capabilities will be made available in Microsoft Azure operated by 21Vianet (Azure
China 21Vianet) tenants, enabling users in an Azure China 21Vianet tenant to collaborate seamlessly with users in
other Azure China 21Vianet tenants. Learn more about Azure AD B2B collaboration.
Azure Monitor integration for Azure Logs is now available in Azure Government
Type: New feature
Ser vice categor y: Reporting
Product capability: Monitoring & Reporting
Azure Monitor integration with Azure AD logs is now available in Azure Government. You can route Azure AD Logs
(Audit and Sign-in Logs) to a storage account, Event Hub and Log Analytics. Please check out the detailed
documentation as well as deployment plans for reporting and monitoring for Azure AD scenarios.
SSPR (self-service password reset) now requires two gates for admins in Microsoft Azure operated by 21Vianet
(Azure China 21Vianet)
Type: Changed feature
Ser vice categor y: Self-Service Password Reset
Product capability: Identity Security & Protection
Previously in Microsoft Azure operated by 21Vianet (Azure China 21Vianet), admins using self-service password
reset (SSPR) to reset their own passwords needed only one "gate" (challenge) to prove their identity. In public and
other national clouds, admins generally must use two gates to prove their identity when using SSPR. But because
we didn't support SMS or phone calls in Azure China 21Vianet, we allowed one-gate password reset by admins.
We're creating SSPR feature parity between Azure China 21Vianet and the public cloud. Going forward, admins
must use two gates when using SSPR. SMS, phone calls, and Authenticator app notifications and codes will be
supported. Learn more.
Azure AD sign-in logs are now available for all free tenants through the Azure portal
Type: Changed feature
Ser vice categor y: Reporting
Product capability: Monitoring & Reporting
Starting now, customers who have free tenants can access the Azure AD sign-in logs from the Azure portal for up
to 7 days. Previously, sign-in logs were available only for customers with Azure Active Directory Premium licenses.
With this change, all tenants can access these logs through the portal.
NOTE
Customers still need a premium license (Azure Active Directory Premium P1 or P2) to access the sign-in logs through
Microsoft Graph API and Azure Monitor.
Deprecation of Directory-wide groups option from Groups General Settings on Azure portal
Type: Deprecated
Ser vice categor y: Group Management
Product capability: Collaboration
To provide a more flexible way for customers to create directory-wide groups that best meet their needs, we've
replaced the Director y-wide Groups option from the Groups > General settings in the Azure portal with a link
to dynamic group documentation. We've improved our documentation to include more instructions so
administrators can create all-user groups that include or exclude guest users.