1. Home
  2. Training Library
  3. Microsoft Azure
  4. Courses
  5. Planning for Azure AD Device Join

Application and Resource Considerations


Course Introduction
Course Summary

The course is part of this learning path

Start course

This course looks at what goes into planning for Azure AD Device Join in Microsoft 365, and what you need to take into consideration when formulating your plans.

Learning Objectives

  • Understand the scenarios that you may encounter during the planning phase
  • Learn how to review identity infrastructures and assess device management
  • Learn about key considerations for applications, resources, and provisioning options
  • Understand the mobility options available and how to configure them

Intended Audience

This course is intended for anyone who wishes to learn about planning for Azure AD Device join in Microsoft 365.


To get the most out of this course you should have a basic understanding of Azure Active Directory as well as Microsoft 365.


Welcome back. In this lesson, we’re going to take a look at some key considerations to think about when planning for Azure AD device join. More specifically, we’re going to look at application considerations and resource considerations.

While Microsoft recommends migrating existing on-prem apps to Azure as part of your planning for Azure AD device join, Azure AD joined devices CAN seamlessly provide access to both on-prem apps AND cloud apps. For example, you can configure SSO to facilitate access to on-prem resources from Azure AD joined devices.

Over the next few minutes, I want to talk about key considerations that you have to think about, for different types of applications and resources.

Let’s start with cloud-based apps. What I want to point out here is that when an app is added to the Azure AD app gallery, users can access that app via SSO, through Azure AD joined devices without any type of additional configuration necessary.

Now, while cloud-based apps are easier to deal with, custom built apps, and apps hosted on-prem need to be added to your browser’s trusted sites list in order for Windows integrated authentication to work, and to ensure that your users can take advantage of a no-prompt SSO experience.

Microsoft’s recommendation here is that you host your apps in Azure and integrate them with Azure AD, if possible. Doing so typically produces a better end-user experience.

Now, if you have apps hosted on-prem that rely on legacy protocols, SSO is available from Azure AD joined devices as long as those devices have access to domain controller on prem. What Microsoft recommends in these cases is that you deploy Azure AD App proxy. This solution is recommended because it provides secure access for these types of on-prem apps.

As far as on-prem shares and printers go, users can leverage SSO from Azure AD joined devices as long as they have access to an on-prem DC. For on-prem printing, Microsoft recommends deploying Universal Print. What this does is allow you to set up a cloud-based print management solution that has no on-prem dependencies at all.

Now, if you have on-prem apps that rely on machine authentication, that’s an issue. It’s an issue because Azure AD joined devices do not support these kinds of apps. In these cases, Microsoft recommends flat-out retiring the apps and, instead, moving to more modern alternatives.

Other considerations to think about include Remote Desktop Services, RADIUS, and Wi-Fi authentication.

Before you can RDP to an Azure AD joined device, the host machine needs to be either Azure AD joined, or Hybrid Azure AD joined. There is an exception to this rule, however. Starting with the Windows 10 2004 update, you can RDP from an Azure AD registered Windows 10 device to an Azure AD joined device.

As far as RADIUS and Wi-Fi go, Azure AD joined devices, at least at the time of this course creation, do NOT support RADIUS authentication for connecting to Wi-Fi access points. Instead of using RADIUS, you might consider using certificates that you pushed via Intune, or maybe even user credentials, to authenticate to Wi-Fi. 

So, the key takeaway here is that there are several application considerations to think about, when planning for Azure AD Device Join. There are also several resource considerations that you must look at, as well.

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.