Identity and access management are two of the most critical facets of your organization’s productivity and security.
Active Directory is the predominant enterprise identity solution in use around the globe – currently more than 95% of the world’s organizations use Active Directory as their authoritative source for identity and access management. The growth of Azure Active Directory use is simply stunning: AAD currently services more than 5B authentications each week from more than 5M unique organizations and more than 450M identities stored in AAD!
Identity will play a much more important role than ever before in this mobile-first, cloud first world. Think about it for a minute: When we talk about mobility we are really talking about mobility of humans and the human experience – not just the device. This all centers around identity.
Windows 10 fully supports and is fully aware of identity in the cloud (Azure Active Directory). Doing this makes a lot of sense; users want to be productive on all their devices and they want their work environment to be available and consistent on and delivered to all of their devices. We are doing this through the cloud and specifically through Azure Active Directory (Azure AD). Enterprises will generally run in a hybrid model with both AD and AAD, using on-prem AD as they have in the past and enhancing that value with new value from the cloud.
Think about the steps you currently go through today when provisioning a Windows 8 device: One of the very first things you do is input your Microsoft Security Account (MSA), and, having done that, your profile is then shared across all your Windows 8 devices – associated with your MSA. I love this! I love that my background, tiles, passwords, wi-fi configurations, files, etc. all roam and are all consistent across all my devices. With Windows 10, we are introducing the ability to have personal profile items roam across your MSA, and, separately, have your corporate profile items roam with your Azure Active Directory (AAD) account. This is all enabled within the same login session on Windows 10. This is a huge step forward from Windows 8. Windows 10 will be unique in having this be a native part of the OS when compared to other operating systems.
Separation & Roaming
As an industry, we talk a lot about the need to separate personal and corporate things – and a lot of this conversation comes down to containers and MAM. Windows 10 has taken the concept of a device being dual-use (i.e. used in an individual’s personal life and work life) and made it so that these devices can separate personal and work things, as well as identify which things should be roaming across your personal account and which things should roam across your corporate account. This is no simple feat – this work that has been done in the core of the Windows operating system.
Over the past couple months, Alex Simons, the Director of Program Management for Microsoft’s Identity and Security Services Division, has been writing about the functionality that’s ready to use in Azure Active Directory (Azure AD) to manage, join, and maintain Windows 10 devices. I can’t recommend these posts highly enough.
As you think about Windows 10 and Enterprise Mobility for your users on all of their device (plus the cloud, plus cloud services), identity and specifically cloud identity will be a big part of your solution.
First and foremost, it’s worth reiterating Alex’s point about the major pieces of Windows 10 that are supported by Azure AD:
- Self-provisioning of corporate-owned devices.
With Windows 10, employees can configure a brand new device in the out-of-box experience, without IT involvement.
- Use existing organizational accounts.
Employees can use their Azure AD account to login to Windows (the same account they use to sign into Office 365). These can be (and should be) kept in-sync with your on-premises AD accounts.
- Automatic MDM enrollment.
Windows 10 PC’s and tablets can be automatically enrolled in an organizations device management solution as part of joining them to Azure AD. This will work with Enterprise Mobility Management (EMM) solutions such as Microsoft Intune.
- Single Sign-On to company resources in the cloud.
Users will get single sign-on from the Windows desktop to apps and resources in the cloud, such as Office 365 and thousands of business applications that rely on Azure AD for authentication.
- Single Sign-on on-premises: Windows 10 PC’s and tablets that are joined to Azure AD will also provide SSO to on-premises resources when connect to the corporate network and from anywhere with the Azure AD Application Proxy.
- Enterprise-ready Windows store.
The Windows Store when it is available will support app acquisition and licensing with Azure AD accounts. Organizations will be able to volume-license apps and make them available to the users in their organization. This is then surfaced up in the Intune Company Portal.
- Support for modern form factors.
Azure AD Join will work on devices that don’t have the traditional domain join capabilities.
- OS State roaming.
Things like OS settings, desktop wall paper, tile configuration, and websites will be synchronized across corporate-owned Azure AD joined devices
In that same post there is also a great overview (with plenty of screenshots) of how to join a Windows 10 device Azure AD right out of the box.
BYO Identity Management
Alex’s series also looks at a topic of huge importance to anyone managing BYO devices. Recently I wrote about the awesome new identity management innovations we’ve added to System Center Configuration Manager (ConfigMgr) and the EMS, and Alex has some additional insights about how to manage Windows 10 on devices with personal content.
Windows has traditionally had great support for using multiple isolated user profiles (“NT users”) on a PC. You could log off and login as a different user or use fast user switching to quickly move between profiles. This will work in Windows 10 just as it did in Windows 8.
But Windows 10 takes this one step further and allows you to connect your device to both your personal and your enterprise clouds, within the same login session. With Windows 10, you can add your personal account to a corporate-owned device (joined to a traditional Windows domain or joined to Azure AD), or add your work account to a personal device (to which you signed in with your personal Microsoft account).
This same post also has a detailed overview (including screenshots) of how to add an Azure AD account to a personally-owned device
As noted in my earlier post on this topic, the concept of enabling multiple users on a device (and, specifically, multiple user identities within the same login session) is something we have heard that you want on all your devices. This request has come up most often from customers that have been using the Office mobile apps on iOS and Android.
Alex’s series also goes deep on the benefits, process, and management of devices which are joined to Azure AD. This post resolves a lot of common confusion about OS deployment and management:
The first question customers ask about Azure AD join is “How is this different from domain join?” Domain join gets you the best on-premises experiences on devices capable of domain joining, while Azure AD join is optimized for users that primarily access cloud resources. Azure AD Join is also great if you want to manage devices from the cloud with a MDM instead of with Group Policy and ConfigMgr.
This overview also explores how to effectively execute an OS deployment in three of the most common deployment scenarios:
- Your apps and resources are largely in the cloud
- Seasonal workers and students
- Choose your own device for on-premises users
The step-by-step setup tutorial is very helpful.
The Ease of Enrollment
I’ve written before about how by joining a Windows 10 device to Azure AD it is extremely easy for end users to get the benefits of single sign-on, OS state roaming, and more (see the first post from Alex linked above).
Another new (and incredibly powerful) part of joining Azure AD is the ability to automatically enroll the device in Microsoft Intune. From my customer visits I’ve learned that device enrollment is the single largest challenge organizations have in bringing mobile devices under management. Microsoft has worked hard to dramatically simplify this process, and there is some great work that we have done in this area around Azure AD join.
Imagine how this can work for you: Through the power and simplicity of a highly secure Azure AD account, users can immediately get access to corporate resources and the applications they need to be productive, while IT can be assured that those devices are secured for access (via Azure AD) and policy (via Intune) from the first minute of business life. Customers can also optionally choose to upgrade from Pro to Enterprise by simply passing a key through Intune. This means easily adding additional management (as afforded by the Enterprise SKU) simply by passing this key – there isn’t even a need to reimage!
Ultimately IT teams are going to have two great management options: Azure AD Join + Microsoft Intune (Cloud only) or Domain Join + Group Policy + System Center Configuration Manager + Intune (on-premises + Cloud).
In Windows 10, the inbox management agent has been greatly enhanced to cover a myriad of new policy settings, but it will be a subset of what on-premises AD Group Policy provides today.
I really like the approach Windows 10 took to smartly implement key policy settings via the inbox agent – and I also think that, for most customers, it won’t be an all-or-nothing decision. Instead, I expect it to be a choice based on company-specific elements like the department, the specific job function, and other criteria.
Further Proof that Architecture Matters
Another of Alex’s posts that really outlines the Microsoft vision for how Windows 10 will positively impact the way you do business is his comment that, “Identity is the new control plane.”
This perspective – and the architecture behind it – has a huge impact on Enterprise Mobility:
- When a user joins their Windows 10 device to Azure AD, it will be automatically enrolled for MDM (based on corporate policy). Adios MDM enrollment hassles!
- IT now has an end-to-end solution for securing their enterprise resources using policy-based access controls that are based on:
- Application sensitivity
- Device health and compliance state
- User profile/attributes/group membership
- Authentication strength
- Access location
- Users now have the ability to access both cloud apps and on-premises apps – and it’s all controlled by the same set of policies and protections.
- All of this is cloud-based: No new servers to buy, no network gear to install, no VPN to support. You can have (literally!) the entire solution up and running in a few hours.
This type of power and flexibility is unique to Microsoft.
To learn more about the simple enrollment process, check out this detailed overview.
To read more visit aka.ms/DeployWin10.