Why Should I Care About Joining a Windows 10 Device to Azure AD?

Ok, so Microsoft recently announced the capability to join a Windows 10 device to Azure Active Directory. And my reaction was, “Ummmmm, so what? Why do I care? What’s the big deal?”


  • Azure Active Directory is NOT a replacement for a domain controller. It’s just not. If you want the ability to use stuff like Group Policy to manage your environment, Azure Active Directory isn’t the solution.
  • In order to get more management functionality with machines joined to Azure Active Directory, you have to use an additional service like Microsoft Intune or Mobile Device Management. So if you were hoping to get more power for less dollars, sorry, not happening with an Azure AD join.


There are some advantages, and when I started to look at some of the niftier functionalities of Azure AD-joined devices, I decided to put my Snark-O-Matic back in my computer bag and look at what’s good about this new technique.

  • Users can join the Azure AD on their own, without any help from your IT crew. Now I know that sounds like a pie-in-the-sky kind of thing, because let’s get real, anything that requires more than 2 clicks of a mouse requires a training class for a lot of our users. But if your users can sign up for a Pandora or iTunes account (and seriously, we know they can) they can join Azure AD. You can take a look at the process right here: http://blogs.technet.com/b/ad/archive/2015/05/21/azure-ad-on-windows-10-personal-devices.aspx.
  • Users can use the Office365 accounts to sign into the computer now! Rejoice! Up until this Azure Active Directory join development, your users had to sign into their computers using either a domain, local, or Microsoft personal account, and then sign in AGAIN (the horror! The horror!) to Office365. Since Office365 uses Azure Active Directory as its identity store, well, golly gee willkers, joining a device, corporate owned or a BYOD (Bring Your Own Device), will slap that Office365/Azure Active Directory account onto that machine and voila, no more multiple sign-in’s just to get to your stuff in O365.
  • Single Sign-on (SSO) is also supported in Azure Active Directory for a lot of SaaS applications out there, so your Office365 users will only need to sign in once and away-yay-yay they go! Because what do your users need? One more user name and password to forget so you can reset it so they can forget it again in two weeks? Or the ability to just bounce over to something like SalesForce.com and start doing real work? (Pssst: go here https://azure.microsoft.com/en-us/documentation/articles/active-directory-saas-salesforce-tutorial/ to learn how to set that up right now!)
  • Here’s a bonus round: You can now add a personal Microsoft account to a corporate-owned domain-joined Windows 10 machine, and you can also add an Azure Active Directory/Office365 account to a personal Windows 10 device, so that way you don’t have to keep switching user accounts when you’re working on stuff from two different environments.

Directions-Training-Azure-AD-Active-DirectoryOk, so here’s the final word on this, for now at least: joining a machine to Azure Active Directory just isn’t going to be for everyone, and that’s ok. If most of your resources are already living in the cloud, say Office 365 and other Azure-Active-Directory compatible services, then joining your device (i.e. tablet, laptop, Windows 10 cell phone, or gasp, even a desktop) to Azure can bring some great new benefits to your user. Does it give you more control? Well, not really, unless of course you want to also add Intune or Mobile Device management to your mix, because Azure AD at the current time just doesn’t give you everything that a regular good old fashioned domain controller can. But you just might find, you might get you just what you need.

Leave a Reply