Azure AD Join vs Azure AD Device Registration

When introducing folks to Azure Active Directory, Azure Active Directory Premium, and Enterprise Mobility Suite (EMS) I get a lot of questions concerning the difference between registering and joining devices to Azure AD. Here is a quick review on the differences:

USERS MAY REGISTER THEIR DEVICES WITH AZURE AD 1

This function governs Azure AD Device Registration. Azure AD Device Registration is focused on providing Single Sign On (SSO) and seamless multi-factor authentication across company cloud applications using personal devices in bring your own device (BYOD) scenarios. Access to on premises applications is also available through integration with the on premises Web Application Proxy (WAP) and ADFS Device Registration Service (DRS) using Azure AD Device Writeback. This allows devices to seamlessly leverage on premises Workplace Join functionality with on premises applications. Azure AD Device Registration is supported on Windows, Android, and IOS devices.

 

2

Azure AD Device Registration is also supported on AD Domain Joined Windows clients for seamless access to cloud applications and reduced logins when off-network.

 

USERS MAY JOIN DEVICES TO AZURE AD

3

This function governs Azure AD Join. Azure AD Join and is focused on corporate owned device management for users that primarily use cloud applications. Azure AD Join is an alternative to the AD + GPO + System Center management stack for Windows 10 clients. Azure AD Join also makes full use of its Azure AD membership by providing the same great SSO experiences as Azure AD Device Registration and Workplace Join / Add a work account when accessing both cloud and on premises applications. Azure AD Join is supported on devices running Windows 10.

 

4

Both options offer fantastic integration for organizations whose applications and resources are largely in the cloud and require or would like the option for conditional access for Office 365 applications with Microsoft Intune. A quick cheat sheet is provided below:

 

a

 

As you can see Azure AD Join provides powerful Windows 10 exclusive features while also providing the SSO capabilities of Azure AD Device Registration. As I stated before, Azure AD Device Registration is also supported on Domain Joined PCs. Let’s take a look at all three configurations together:

 

c

 

As you can see both Azure AD Join and Domain Join and Device Registration configurations allow for the best of both worlds. Domain Join and Device Registration clients remained managed by on premises tools but get to take advantage of reduced logins for cloud applications. Azure AD Join provides the same great user experience with the added value of CYOD and Intune MDM support.

If you have any questions, feel free to leave a comment or shoot me a tweet @justwheaties

Thanks,

David

Useful Links

 

Comments

  • Anonymous
    August 05, 2016
    Thanks a lot for this post! I have 2 questions:1. Does SSO to Azure Cloud Applications from Domain Joined Azure registered devices require AD-Connect Password Sync enabled?2. Can you please explain what you mean by "reduced logins" for Windows domain joined Devices?
  • Anonymous
    January 11, 2017
    Thanks for clarifying the differences.The article could benefit from some clarity on the role of Workplace Join, its relationship to device registration and the use cases it supports. In the last table you have included it in the Domain Join + Device Registration column which has device ownership as 'Organization' when the key use case for Workplace Join is for personally owned devices. There is no mention of it in the device registration column though you have discussed it in the commentary above.
  • Anonymous
    April 18, 2017
    Using Device Registration, I can't retrieve bitlocker keys stored in AAD. The GUI from the client (Win10) doesn't error when enabling "save to your cloud domain account", if this is true it is misleading and dangerous.
  • Anonymous
    May 23, 2017
    Nice job putting this together David. The tables clarify a lot.
  • Anonymous
    December 04, 2017
    All, I know this is an old post but I want to answer AzurePower's questions:1. Does SSO to Azure Cloud Applications from Domain Joined Azure registered devices require AD-Connect Password Sync enabled?If you're not using ADFS, then your only other option is Password Sync. You should enable one or the other but not both at the same time to have SSO capabilities. And yes, these are requirements for SSO.2. Can you please explain what you mean by “reduced logins” for Windows domain joined Devices?When you access an SSO-enabled web application(like Sharepoint) from a domain-joined PC, you may get prompted for your username and password. If you enable Windows Integrated Authentication(WIA), the Windows login will be used for authentication to the web application. If you're using ADFS, there is an extra setting for this. Hope this helps. Barr