Today’s blog post is an exciting one – we’re going to be covering the Azure AD support that will come built into Windows 10! There’s a lot to cover and we’ve planned a series of engineering posts that will run for the next few weeks.
To get started, let’s talk about some of the major capabilities in Windows 10 that will be powered by Azure AD:
- Self-provisioning of corporate owned devices. With Windows 10, employees can configure a brand new device in the out-of-box experience, without IT involvement.
- Use existing organizational accounts. Employees can use their Azure AD account to login to Windows (the same account they use to sign into Office365).
- Automatic MDM enrollment. Windows 10 PC’s and tablets can be automatically enrolled in an organizations device management solution as part of joining them to Azure AD. This will work with Microsoft Intune and with 3rd party MDMs.
- Single Sign-On to company resources in the cloud. Users will get single sign-on from the Windows desktop to apps and resources in the cloud, such as Office 365 and thousands of business applications that rely on Azure AD for authentication.
- Single Sign-on on-premises: Windows 10 PC’s and tablets that are joined to Azure AD will also provide SSO to on-premises resources when connect to the corporate network and from anywhere with the Azure AD Application Proxy.
- Enterprise-ready Windows store. The Windows Store will support app acquisition and licensing with Azure AD accounts. Organizations will be able to volume-license apps and make them available to the users in their organization.
- Support for modern form factors. Azure AD Join will work on devices that don’t have the traditional domain join capabilities.
- OS State Roaming. Things like OS settings, Desktop wall paper, Tile configuration, websites and Wi-Fi passwords will be synchronized across corporate owned Azure AD joined devices.
We’ll dive into the details of each of these as part of this series of blog posts. Please note – some of the stuff we’re going to blog about here is still being developed and will probably show up in Windows 10 in the fall rather than in the first release this summer.
So let’s get started! This first post is written by Ariel Gordon a Principal Program Manager in my team. Ariel is going to walk you through the experience of setting up your Azure AD joined Windows 10 PC/laptop/tablet.
I hope you’ll be excited about these new capabilities. Based on feedback from customers in our early previews, we think they are going to be very popular.
And as always, we’d love to receive any feedback or suggestions you have.
Alex Simons (Twitter: @Alex_A_Simons)
Director of Program Management
Microsoft Identity and Security Services Division
I’m Ariel Gordon, the PM responsible for the Azure AD sign-in and sign-up experience. I’m really excited to be the first person at Microsoft to blog about how we’re bringing together Windows 10 and Azure Active Directory. As Alex explained in his introduction, this combination will greatly simplify the deployment and management of Windows as well as provide seamless access to organizational apps and resources in the cloud and on-premises.
The key to this is Azure AD Join, a new Windows 10 feature for configuring and deploying corp-owned Windows devices. Like traditional Domain Join, Azure AD Join registers devices in the directory so that they are visible and can be managed by an organization. But with Azure AD Join, Windows authenticates directly to Azure AD, no Domain Controller needed (unless you want to use one of course).
Most importantly, Azure AD Join brings significant flexibility and cost savings to the deployment process. End-users will be able to automatically Azure AD join during the initial startup experience, which will register the device in the organization’s directory and enroll it in their Mobile Device Management (MDM) solution.
Joining a device to Azure AD in the out-of-box experience
In Windows 10, end-users can join their device to Azure AD in the out-of-box experience (OOBE). This will allow organizations to distribute shrink-wrapped devices to their employees or students with no need to image or sys prep them ahead of time. (Note: we’ll also support joining a device to Azure AD via Settings or with provisioning packages for people who are interested in that sort of thing). So how do you join a Windows 10 PC/Laptop/Tablet to Azure AD? Let me show you! The experience is pretty cool.
Just like on Windows 8, users start by customizing their region and language, accepting the EULA and getting online:
Then on the versions of Windows targeted at businesses, users will be asked whether this is their personal device or one issued to them by the organization they work for:
Choosing “this device belongs to my organization” starts the Azure AD Join experience.
Employees then enter their Azure AD username:
Then the Azure AD looks for a matching tenant in our service. If the employee is a cloud only use, this page will morph to show their organization’s custom branding and they will enter their password directly into the page. If the employee is a member of a federated domain hthey will be redirected to the organization’s on-premises federation server (e.g. ADFS) for authentication.
Based on IT policy, users can also be prompted to provide a second factor of authentication at this point:
Azure AD will then check whether the device should be enrolled in MDM and if so prompt the user to agree to the enrollment terms (which customers will be able to modify as needed)
Windows will then register the device in the organization’s directory in Azure AD and enroll it in MDM:
When this is done, Windows will wrap up the setup process.
In the next posts in this series, we’ll share more details about SSO to enterprise resources, deployment considerations, MDM integration, Windows Hello and Passport integration, and more.
We’re looking forward to your feedback on these features. It’s easy to download the Windows 10 Technical Preview or the Windows 10 Enterprise Technical Preview. Use the built-in feedback mechanisms, or feel free to use the space below to ask questions and let us know which other topics you want us to cover. And if you’re a member of the Azure AD Advisors group, please join the conversation on Yammer.
Thanks for your time and I hope you’ll start joining Windows 10 PC’s to Azure AD with great abandon!
Ariel Gordon (Twitter: @askariel)
Microsoft Identity and Security Services Division