Managing Azure Active Directory joined devices with Microsoft Intune

I can’t even count the number of times I’ve talked to customers about a future scenario where they can finally tell their mobile end users: “Here’s a stipend, now go to an electronics store and buy a device for work.” Another variation of that discussion is simply sending a factory-imaged device from your OEM directly to the end user, and then through the power of an AAD account, the device can be business-ready in minutes.

I know what you’re thinking: “When should I consider joining Windows 10 devices to Azure AD?

The answer is pretty simple: It comes down to choosing between Azure AD join + Microsoft Intune versus AD join + Group Policy + System Center Configuration Manager.

In Windows 10, the inbox management agent has been greatly enhanced to cover a myriad of new policy settings, but it will be a subset of what on-premises AD Group Policy provides today.

I really like the approach Windows 10 took to smartly implement key policy settings via the inbox agent – and we also think that, for most customers, it won’t be an all-or-nothing decision. Instead, I expect it to be a choice based on the elements like the department, the specific job function, and other criteria.

Here are a couple of key questions to see if a device is right for Azure AD join or not:

  1. Do you have devices that only run cloud apps or apps being exposed through the AAD App Proxy? If so Azure AD join is optimized for these types of apps.
  2. Is the Windows 10 MDM/Inbox agent functionality sufficient for managing the device and its apps? For example, the apps on a device do not require AD group policy for configuration settings. As you become more familiar with the capabilities built into the MDM channel in Windows 10, you’ll be able to make the call if those capabilities are sufficient.

Source: Managing Azure Active Directory joined devices with Microsoft Intune – In the Cloud – Site Home – TechNet Blogs


I guess I don’t get it. Maybe I’ve worked for a manufacturing company too long. From a security stand point how are you going to let BYOD computers on your network? Even syncing company documents to a personal computer makes me cringe. Some solutions allow you to remote wipe the data on a personal PC. But what stops the user from copying the data to another directory before the remote wipe takes place?

I understand point 1 if you have all cloud or SAAS apps, sure. But then whats the point of even joining the device to AAD? I do like the idea of not needing to reimage a OEM computer and just being able to reconfigure it to match the standard image, but I hope the intune configuration can tie back to system center so its standardized across our devices.

%d bloggers like this: