The terms used to describe MDM and cloud account sign in and management have evolved and changed over time from the original terms used in Windows 8. This post’s purpose is to give you the low-down on the options available to you in Windows 10, Version 1511 and onwards.
They have had many names and functions, but the key point you should take away from this post is that there are only two types of enterprise cloud identity (Azure AD) you need to consider in Windows 10, and either can trigger MDM enrolment to occur if you wish. So we’ve had many names, but we’re actually only talking about three things: Azure AD Join, Work or School Accounts, and Device Management (MDM).
A simple representation of this is as follows:
We’ve had many names for these things in older versions of Windows 10, and in Windows 8:
- Device Enrolment
- Device Registration
- MDM management
- Workplace Join
- and many more..
Forget everything you’ve heard before. There are just two ways to use an AAD account:
- Azure Active Directory Join (AADJ) – Where the device joined Azure AD instead of your on premises, Windows Server AD the way you typically would. This allows the user to sign in with their corporate (Azure AD) credentials at the sign-in screen as their Primary Account. You can’t AADJ & traditional AD Join at the same time.
- Add Work or School Account (“Add Account”) - Which adds an additional account (a Secondary Account) to the users login that facilitates single sign on (SSO) even when the user is logged on with some other account as their primary account (Eg, local account, Microsoft Account, etc). You can be traditional AD joined and still use the Add Account functionality.
There is also just one Mobile Device Management (MDM) type you need to worry about, which is MDM Enrolment. The term ‘enrol’ or ‘enrolment’ is used to imply MDM.
Finally, you can either use the ways above to add an AAD account to automatically enrol in an MDM (using the Enrolment URL capabilities of Azure AD) or you can just manually enrol in MDM and add or use no corporate identity (except for enrolling in MDM. of course).
When should I use one versus the other?
One common question after covering the above is where each is intended to be used. With some exceptions depending on your organization’s needs, the identity options are geared as follows:
- Azure AD Join (AADJ) is primarily designed for corporate-owned devices. Since you’ll be primarily signing in with a corporate identity, it’s not as suitable for personally-owned devices.
- Add a Work or School Account is intended for all (other) use cases, so that corporate credentials can be added to the logged on user’s account, regardless of what they are logged on with – for example the user may be logged on with their Microsoft Account, but they may wish to add their corporate or school account as a secondary account.
I hope this has helped you better understand the options available in Windows 10!