Windows 10, Azure AD Join and SSO (Build 10162)
A while back I wrote a post regarding Azure AD Join or Connect to cloud that it was called in earlier build. Since then a lot of stuff has happened and I really feel the quality and usefullness of Azure AD Join is getting close to target.
So this post is gonna focus on the OOBE experience of a new users experience when logging into a new computer for the first time. I am sorry for the norwegian language in the screenshots I have made, but you will understand what they are about anyway :)
So the first that happens when you turn on your new Windows 10 Pro machine is that the OOBE kicks off and helps you setup your new computer. This is well known and has been a part of starting up a new computers for a long time.
Choose your preffered language and reginonal settings and continue
I choose the Express settings to get this quickly away. I guess most users will choose this option.
This is where the interresting part is happening. On this page you are asked about who owns the PC. As this is my company’s PC I choose that my organisation/company owns this machine and clicks next.
Now the users are prompted for another choice. Do they want to connect to Azure AD or a Domain. We instruct the users to choose Azure AD and goe on to the part where they authenticate and join Azure AD.
This is where I log on with my Azure AD/O365 credentials and this screen you can customize abit in Azure AD regarding to branding and help-text. I log on an the process of joining Azure AD happens.
At first logon the user will have a little waiting for the profile creation and apps installation, when that is done you will be asked to create a work-pin. I havent found out if this is possible to disable or not quite yet.
When I choose to Create Pin I have enable for testing use of the Azure Authenticator App as Multifactor Authentication. The user will then be prompted for additional authentication on their phone, If they have never done a MFA earlier they will be asked to set this up as an integrated part of this process.
I have now confirmed my identity by getting an notification on my phone through the Azure Authenticator App and are able to create my pin for simple and secure logon.
And then I am done. Windows gives me my desktop and I am ready to start using my Azure AD Domain joined machine with my corporate credentials on the device.
In earlier builds the SSO part did not work that great. I had to logon again if I opened pages like portal.office.com to get to my O365 subscription. I had to logon again to use the Windows 10 Mail app. So I was quite pleaced when I started EDGE and typed in portal.office.com and it presented me with this without any logon prompts at all.
So now I am really ready to start working with just login into my computer straight from the store with my corp identity and single sign on to corporate resources.
So what do I miss today that I think needs improvement before this solution is production ready? I am missing a just a few things, but I am hoping and believing that this should be in place around Windows 10 RTM time.
1. I am still not able to auto enroll in Intune for management capabilities. I have not enrolled and testet much on the Intune capabilities in this build. I am waiting for another Win10 focused release of Intune to be available. And stuff like upgrade from Pro – Enterprise via Intune is really gonna be cool stuff.
2. I am now able to “connect” a Microsoft Account to my AAD joined machine, but it doesnt seem to work as I expected. Settings sync is not working (with a message that I need to have an MSA to do this), I have to change/switch logon in the store. I seems kinda disconnected still.
3. Settings sync (enterprise mode) does not seem to be inplace, I have read from MSFT that settings sync through Azure AD is supposed to be an option.
4. The Business Store. I really hope it does not take long before we are able to see and test this part, it is gonna make handling apps for Azure AD Identities much easier.
Windows 10 and Azure AD really makes sense and are a really good match. Users will be able to self provison their devices easily and IT doesnt have to setup a lot of infrastructure to manage their Windows 10 users.
Filed under: AzureAD, Client, Cloud, Windows 10 Tagged: AzureAD, Cloud, EMS, Identity, Intune, Join, Microsoft, O365, Windows 10