Learn how to join Windows 11 to Azure AD & Intune

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] this time i take a look at joining windows devices to azure active directory and there are three different scenarios that we're going to look at so joining azure ad joining azure ad with intune and we're also going to talk about the pros and cons of hybrid azure ad so if you're ready to learn let's get started [Music] hi everyone welcome back to the channel so nice to see all of you i hope you're all having a nice summer holiday and and then you're not getting too hot in this crazy heat uh this week um you know i get a lot of questions on intune and windows deployment and so on and um i thought this time around i would really kind of like to talk about azure ad and specifically joining windows devices to azure ad so whether you're a small business or a large business there are basically a number of different options that you can do you can do a azure ad join so this is where you can join just azure active directory you're not using a mobile device management piece of software like intune so we're going to talk about what you can do so the the primary benefit of that is it provides your users with single sign-on now if you're a microsoft 365 admin you do get some basic mobile device management tools for example if you've got um you know like business accounts and things like that but you don't get the full kind of suite of tools the second scenario is actually doing it but with intune so what are the benefits that intune provides for you and then the third option which amazes me how many people still use and hybrid azure active directory join so hybrid azure ad join and specifically one of the main benefits that we can still do that although you can't manage it in in tune because remember hybrid it has authority from your on-premises domain so on when you're on premises it's managed by group policy system center config manager but the one cool thing that you can do is that you can deploy things like conditional access policies which we're going to take a look at so definitely stick around because i've got three really good demos and then at the end of the session of course it's this week's question time so if you've posted a question this week it could be your question that's gonna feature now if you've not subscribed we love subscribers so hit that subscribe button ring the bell and of course you won't miss out on any of the good stuff in the future and if you have questions comments not just about this or any of my other sessions then please feel free just to ping me a message and i will do my best for you all right so i think without any more further ado i think it's about time we got in tune with in tune and joining things like azure active directory devices let's take a look so for the first of my three demos i want to walk you through joining azure active directory without the use of intune so here i am in azure active directory and i'm going to go into devices and here in devices i'm just going to go up here to device settings and just wait for this to come through a moment okay so in here it says users may join devices to azure active directory and you can see it's set to all and also do you want to use multi-factor authentication now for the purpose of this demo i'm not going to bother with that um you'll also notice at the bottom it says how many devices you want the user to use um for example 50. i'm just going to keep that at 20 otherwise it could be potentially problematic um you can also add in additional local admins as well so what i'm going to do is i'm going to click on add assignment and i've actually got a user here called alan and he's going to be an additional local admin okay um so just bring him in and click on that and then add perfect okay so alan is now a local admin so now what we want to do is now that i've uh i'll check those devices users can join their machines to azure active directory so what we want to do now is we want to go to uh windows 11 and we want to obviously join this machine okay so now what i'm going to do is i'm just going to flip over to this windows 11 and i'm going to just sign in as an admin here and now what we're going to do is we're going to join this machine to our azure active directory and the first thing that we do is we go into our settings and in the settings i basically want to click on accounts so i'm just going to click on there and now when we click onto accounts you basically have three options um if i just uh scrolled that right down to the bottom it says do you want to add access to a school or a workplace now account and i'm just going to go ahead i'm going to say yep that's cool i'm going to click on connect here and um i'm going to you've basically you've got three options here all right so you've just got a login screen here where you can just add an email address this is basically registering an account whereas the other two you can see that you can join azure active directory or you can join a windows domain so i'm going to log in here as joni sherman i'm just going to pop a password in here and i'll just click on sign in now remember in this case i'm not using any kind of in tune i'm just purely using azure active directory so again if you're a small business you're not using intune you do get a some functionality with mobile device management but you don't get a full rich set of features but the key thing is what this does give you once i've now connected so what i'm going to do here is i'm on this workstation i'm just going to log off and then i'm going to log back on as joni but one of the benefits that uh logging on to azure ad definitely gives you um is well first of all from a security standpoint you've got things like conditional access so you can apply conditional access policies and you can also extend it into intune later on so if you want to manage it later you can of course do that if you want to um and the only thing that you can't do is you can't there are a number of limitations and you'll see that in a second so now that i've gone back in i'm just going to pop back into my settings again and now back into settings i'm just going to go into my user accounts again and this time you'll actually see that joni is actually she's logged in here so this is her connection so i'm just going to click on accounts and you can see that her details have come through here now the really the big benefit for joanie here um is that well if she gets disconnected by the way one thing that you can do is you can go into this area here and you can re-sync the connection so if there's any changes to her settings you can do that remotely in in tune or a user can do that by just going into that area here all right um now do remember that you can only be connected to either azure active directory or active directory and essentially this machine has authority to manage the the computing account all right and another big benefit is of course if i go straight into uh office it doesn't prompt me to log in so there's no login details here required at all straight in i get access to all my resources which is perfect and that's going to save an awful lot of time so that is 100 pure single sign-on okay and that is absolutely fantastic now that we've done that i'm just going to go back in as my admin account and i'm going to go back into azure here i just want to mention a couple of drawbacks all right so here in azure active directory i'm going to come back into devices and all our devices and you'll see here that we've got the workstation that's joined and it's windows device looks good you've got the user's name here you can see it's not managed by an ndm okay so that means that you can see you've got no menu items here so you can't go in and actually manage it and you can see that by if i go into the properties of the device most things i just grayed out here you see and you'll notice that the manage option at the top wasn't available so how does that compare with the likes of intune so if i'm using intune um again i'm just going to flip over to this uh other workstation now and i'm going to log on with a different user account this time so same process but this time i've enabled intune authentication because i've switched it on via the mobile device management console um so i'm going to log in as aaron and this time aaron has been allowed to read or join azure active directory as an authenticated user so again do remember the difference you can't have both all right it's one or the other so i'm going to come in this time as aaron i'll just click on next and i'll just pop in his password okay and yep just pop that in and i'm going to click on join and just takes a couple of moments and you can see it looks pretty good we're all connected okay so pretty very very similar in fact almost an identical experience to joni's uh experience there and again i'm going to click into the start menu what i'm going to do is just log out very quickly sign out and just sign back in again and this time i'm going to come in as aaron and just pop in this password okay click okay and there we go again full benefits you've got single sign-on you've got all of those features that i just showed you now this time however because the user has got an e5 enterprise mobility and security and an e5 license you've also got intune again user can go straight into the 365 portal and again the user doesn't need to log on so it looks absolutely almost identical all right so this is perfect all right now um so how does it compare then with just the azure active directory experience all right so the user can log in just the same but how does the actual management compare with just the azure active directory experience so what i want to do is i'm just going to flip over to back to my server okay and just log in here and i'm coming gonna go back into azure active directory so the differences are you and you'll see this right away now if i click onto devices and i'm going to click onto all devices and now you'll see that the machines come in but look at the difference it says azure adjoined and you can see the mdm says windows or microsoft intune okay so this machine is now fully managed in microsoft intune and this means that i can go into here i can now see all the properties of the device and it can join a an administrative group if i wanted to it can join a role i can click on manage and this is the real difference so i can now manage this device i can see its properties i can see what applications are on the device i can reset the device i can sync the device i just mentioned that a moment ago so i can sync it if there's any changes to policies or anything like that and you can also do things like if you've got defender you can do anti-virus scans you can do a remote desktop session to it you can enable bit locker key rotation and so on so it gives you so much more flexibility all right and you can see i can see discovered apps what settings device diagnostics all kinds of stuff on there so really really nice it shows me how it's enrolled onto there so two options azure ad joined okay now um so that's the two of the three options so now if i just pop in again into endpoint manager endpoint manager of course is comprised of a couple of products one of them being intune so in intune manages all your devices and your apps and you can see here if i click onto the windows um i have now got my workstation and you can see that it's managed and in tune and i can now go and say hey maybe i want to create a compliance profile or a configuration profile or deploy a script to this and if you've not seen my other videos on intune then i do cover some of that content in there by the way all right and you can also go into endpoint security you can manage the firewall you can manage updates on the machine and so on so for my third and final option what about for those of you who have got active directory on premises uh and you've got devices so you can see here i've got a organizational unit called seattle clients and i've got some clients in here um okay so how do we get these um into intune okay now as i mentioned one of the things that you need to think about is who's got authority of these machines so we know that active directory has authority here so to switch this on it's a two-step process i'm gonna go into group policy and in group policy you need to enable it as i said in two places one is group policy and the other one is azure ad connect so i'm gonna go into my computer configuration and i'm going to go into policies and into policies i'm going to go into the administrative templates i'm going to go into windows components and in windows components just down at the bottom here you've got device registration so i'm going to click into here and it says enable devices or to join as devices so and allow windows computers to join us devices in azure okay and and what this does is it creates a hybrid azure adjoined device okay now i'm just going to do a quick gp update slash force on that group policy setting so that's the first of my two places that i had to do that so just click on that just wait for that to complete yeah that's it i'm just going to close that down right so now that we've done that the second place that we have we need to manage this is we need to go into azure ad so i'm going to pop into azure ad connect and i'm just going to click on configure and we need to go into um configure device options now with the device options you've essentially got three choices i'm just gonna log in okay you've got three choices so do you want to do a hybrid azure adjoin do you want to do um so just wait for this to come in yeah so do you want to do a hybrid azure adjoin do you want to configure device right back or disable it you can only have one or the other so i'm going to do hybrid and i'm saying it's a windows 10 device or later you can also do windows 8 devices as that option there as well i'm going to say it's contoso and it's authenticating it's going via azure active directory and you need to add in now an enterprise admin from on-premises so i'm just putting in my contoso administrator there is a script there by the way in powershell that will do it for you so i'm going to click on next and it now says ready to configure all right so after a few moments that will go off and once it's complete we'll be done okay just give that a moment okay cool now uh what i'm going to do is i'm just going to go now that we've done that and it does take a little bit of time just to synchronize so you may just wait a little bit i recorded this on video um just to save time basically okay i'm gonna go into devices and i'm just gonna go in here and i'm just gonna refresh this page so i'm just going to all my devices and you can see it's not come through yet it just gives it a few minutes we just refreshed the page and then eventually it will appear for me it took about 20 minutes for all these machines to come through by the way so just a couple of tries a couple of retries and then eventually it does come through okay yeah okay so here are the devices have come through and you can see that these are now azure adjoined all right again it doesn't tell you the name of the user who's logged on you do have very limited management of these devices and it's because azure because active directory has authority so if you want to manage these devices you can still do it through group policy now you'll notice i can't manage them in intune there's no mdm here so that means that you would use group policy or system center config manager to kind of do all that kind of current configuration now the one benefit that you can do is that you can do things like conditional access all right which is kind of cool and so you know if you want to configure things like mfa or multi-factor authentication or restrict access to any browser apps and things like that then conditional access would definitely be the way to go okay so just before i create my conditional access policy what i'm going to do is i'm going to create a new group and for this group for my devices i'm going to create a new security group okay so i'm going to click on new group and uh like i said it's going to contain devices so we'll get you're going to want to click on security and i'm going to call this group i'll just call it seattle clients and i can assign an owner if i want to so i'll just go ahead and click on that i'm going to make it a dynamic device group okay and i'm going to add in mod now all of my seattle machines have got one thing in common they all start with sea so i'm going to choose a dynamic rule and for this i'm going to say the device so device display name i'm going to say contains and as i said all of my devices have got this in common so sea for seattle i'm just gonna go ahead and add that in okay and uh now that that's added in just wait for that to come in yep there we go so i'm saying okay the display name equals odd it contains sea and of course i've got two organizational units i've got seattle clients and i've got a an ou call seattle service so that will bring those devices in as well so now that i've done that what i want to do is now i'm going to go ahead and create my conditional access policy so for this i'm going to click into the security blade i'm going to go into conditional access and again this is just purely for demo by the way if you've not seen my conditional access videos um i did a a couple in fact i've done more than a couple um they're on my channel go ahead and check them out all right so i'm just gonna call this my seattle i'll call it my seattle ca for conditional access policy okay and you can assign it to of course users groups and you can in this case i'm of course i'm going to assign it to some groups and users and groups you can do it for all users and groups or just specific groups there so i'm just going to do it for specific groups and i'm going to type in sea yeah and of course there's my group okay so i'm going to bring in my seattle clients now again you could make this conditional access policy as complex or as simple as you want and so i'm saying if these devices um you can say if they're using all cloud apps or just selected apps um so again for the purpose of this demo i could say let's say teams so microsoft teams so if the seattle clients have got microsoft teams on them i could then say okay they have to meet these conditions so you might put a user risk level you might put you know device platforms so obviously these are let's say windows devices so you might say if it's teams running on a windows machine or on a mac or an iphone or something like that um you can also say okay you might say specific locations so for example if you've got a company branch office then you don't need to do multi-factor authentication um also am i going to allow browser apps and um installed apps yes but the one thing that you might not want is you might not want legacy clients because that can potentially cause problems and allow users to bypass mfa which you don't want so in this case i'm just saying actually in this case i want all my machines to be azure adjoin so all of those seattle clients will now be picked up by my conditional access policy and of course i can go in i can test that i can say do i want to control the session in any way in this case i'm quite happy all right so you can test it before you roll that out and that my friends is conditional access so there you have it hybrid azure adjoin along with azure adjoining and the many ways of doing it hope you enjoyed it right now it's time for question time [Music] [Music] right so this week's question time i actually had a really interesting question which really made me think this week um i want this channel to be as inclusive as possible and rod messaged me and he says i'm grateful for the video but i'm glad you didn't talk to the camera much so you know i don't talk to the camera when i do my videos um he's going deaf with a bad case of tinnitus and i feel for you i have a number of members of my family that have got that rod so i do feel for you um and he's uh learning to read lips and so on and do remember that youtube automatically subtitles all of these videos as well and also i've got a number of subtitle editors who are working with me and so for various areas of the world you may find that subtitles are available but thanks for the question and i really did uh think about that one all right okay so that's it for this week thanks so much for joining me if you've not subscribed hit that subscribe button ring the bell and of course you won't miss out on the good stuff in the future and please bump the like button it really does make a difference alright enjoy your week and i'll see you soon stay safe hey thanks so much for dropping by today here's a couple of videos that you may enjoy and while you're here go ahead click on the subscribe button and you won't miss out [Music] you
Info
Channel: Andy Malone MVP
Views: 32,142
Rating: undefined out of 5
Keywords: How to join a windows 11 to intune, How to deploy a windows 10 device to intune, Manage devices in Azure AD, Azure AD Join, Hybrid Azure AD Join, Microsoft Endpoint Manager, Microsoft Intune, Andy Malone MVP, MVPBuzz, windows 11, intune ios app deployment, intune app protection, device enrollment account restrictions
Id: hzlISDO51-Q
Channel Id: undefined
Length: 27min 53sec (1673 seconds)
Published: Tue Jul 19 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.