Planning for Azure AD Device Join
The course is part of this learning path
This course looks at what goes into planning for Azure AD Device Join in Microsoft 365, and what you need to take into consideration when formulating your plans.
- Understand the scenarios that you may encounter during the planning phase
- Learn how to review identity infrastructures and assess device management
- Learn about key considerations for applications, resources, and provisioning options
- Understand the mobility options available and how to configure them
This course is intended for anyone who wishes to learn about planning for Azure AD Device join in Microsoft 365.
To get the most out of this course you should have a basic understanding of Azure Active Directory as well as Microsoft 365.
Now that we’ve looked at all the prior steps when planning for Azure AD Join, let’s take a look at the last few steps. In this lesson, we’ll talk about configuring device settings, enterprise state roaming, and conditional access.
The Azure portal is the primary tool that you should be using to control your deployment of Azure AD joined devices. To configure the settings that will impact your Azure AD Join deployment, browse to the Azure Active Directory page. From there, select Devices, and then Device settings.
There are a handful of settings that you are interested in.
The “Users may join devices to Azure AD” option can be set to All or Selected. As you might expect, setting this to “All” allows all users to join devices to Azure AD, while the “Selected” option allows you to specify who can join devices. The “None” option is self-explanatory. You should set this option in accordance with the scope of your deployment and who you want to allow to setup Azure AD joined devices.
The “Additional local administrators…” option allows you to select users that should be added to the local administrators group on all Azure AD joined devices. If you have a particular user, or users, that should be local admins on all machines, this is where you can make that happen.
Selecting “Yes” for requiring MFA to join devices does what it sounds like it does. It forces users to perform MFA while joining devices to Azure AD.
Mobility settings also need to be configured. But before you can configure mobility settings, you will often have to add an MDM provider, first. This is done via the Manage section on the Azure Active Directory page. Once you select your MDM provider, you have to configure the related settings for the provider you choose.
For example, you’ll have to configure your MDM user scope and any necessary MDM URLs.
Enterprise State Roaming is available if you have an Azure AD Premium license, or an Enterprise Mobility + Security license.
When you enable Enterprise State Roaming, your users can sync their settings across devices. Microsoft recommends enabling this setting even for hybrid Azure AD joined devices.
And then lastly, you can configure conditional access. For example, if there are apps in your environment that should only be accessed by devices that meet your security and compliance standards, you can use conditional access to enforce this.
And that’s it. Once you configure your device settings, your mobility settings, and any necessary conditional access policies, you are ready to deploy Azure AD device join.
Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.
In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.
In his spare time, Tom enjoys camping, fishing, and playing poker.