Azure AD Join vs Azure AD Device Registration

When introducing folks to Azure Active Directory, Azure Active Directory Premium, and Enterprise Mobility Suite (EMS) I get a lot of questions concerning the difference between registering and joining devices to Azure AD. Here is a quick review on the differences:

USERS MAY REGISTER THEIR DEVICES WITH AZURE AD 1

This function governs Azure AD Device Registration. Azure AD Device Registration is focused on providing Single Sign On (SSO) and seamless multi-factor authentication across company cloud applications using personal devices in bring your own device (BYOD) scenarios. Access to on premises applications is also available through integration with the on premises Web Application Proxy (WAP) and ADFS Device Registration Service (DRS) using Azure AD Device Writeback. This allows devices to seamlessly leverage on premises Workplace Join functionality with on premises applications. Azure AD Device Registration is supported on Windows, Android, and IOS devices.

 

2

Azure AD Device Registration is also supported on AD Domain Joined Windows clients for seamless access to cloud applications and reduced logins when off-network.

 

USERS MAY JOIN DEVICES TO AZURE AD

3

This function governs Azure AD Join. Azure AD Join and is focused on corporate owned device management for users that primarily use cloud applications. Azure AD Join is an alternative to the AD + GPO + System Center management stack for Windows 10 clients. Azure AD Join also makes full use of its Azure AD membership by providing the same great SSO experiences as Azure AD Device Registration and Workplace Join / Add a work account when accessing both cloud and on premises applications. Azure AD Join is supported on devices running Windows 10.

 

4

Both options offer fantastic integration for organizations whose applications and resources are largely in the cloud and require or would like the option for conditional access for Office 365 applications with Microsoft Intune. A quick cheat sheet is provided below:

 

a

 

As you can see Azure AD Join provides powerful Windows 10 exclusive features while also providing the SSO capabilities of Azure AD Device Registration. As I stated before, Azure AD Device Registration is also supported on Domain Joined PCs. Let’s take a look at all three configurations together:

 

c

 

As you can see both Azure AD Join and Domain Join and Device Registration configurations allow for the best of both worlds. Domain Join and Device Registration clients remained managed by on premises tools but get to take advantage of reduced logins for cloud applications. Azure AD Join provides the same great user experience with the added value of CYOD and Intune MDM support.

If you have any questions, feel free to leave a comment or shoot me a tweet @justwheaties

Thanks,

David

Useful Links