This week I had an interesting task to do, too much time invested in it and it was very important for me to share it with you, it is a good solution for organizations that have Office 365 and or applications in Windows Azure
Just couple of words about Azure AD Join, one of amazing advantage we have in Windows 10 is the possibility to register a device on Windows Azure per device, we have several ‘hopes‘ to pass, we have to insert email address and password and then if there is any application also there mostly credential is required, unless you have configured SSO. by Azure AD Join we can register our machines in Azure AD, for real guys, your PC will register under our username in the Azure AD and then we will be to perform login automatically to office 365 without inserting credential. No doubt, deferentially amazing SSO feature, no ADSI is required or any other service, the requirements will show you later.
Using this configuration we are allowing to users to perform SSO, regardless user’s device is registered in Office 365 or not. once the “AzureAdJoined” value is on YES it means that the configuration configured properly.
The SSO knows to allow you SSO with
What you have to do, How to configure it?
Go to your Azure environment and navigate to your main AD and go to “Configure”
Scroll down to “devices“, and enable the following settings:
Just let you know, You even can set a maximum number of devices per user and other settings.
From the management point of view, that’s it! now we just have to register machine by clicking on this button:
But, of course, we aren’t going to do that manually per a computer, so there is GPO that we should use on GPO for enabling it (make sure you have Windows 10 ADMX files If you do not have it, you can check out this Link)
Create a new GPO and allows this GPO to computers you want to join Azure AD automatically:
Computer Configuration/Policies/Administrative Templates/Windows Components/Workplace Join
If you run in CMD windows > Run > Cmd > “dsregcmd.exe /status” you may get “AzureadJoined” value as “No“, it takes us a while to realize that I have to configure Service Connection Point (SCP) in order to make use of AzureADJoin. it means that the SCP holds the discovery information about my AD Azure tenant, so my clients can’t know what is our tenant. in principle, the SCP located at
Open the ADSI.EDIT and find it out under CN=Configuration,DC=example,DC=com
CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,[Your Configuration Naming Context]
If it doesn’t exist there so go to your Dirsync server or whenever Azure PowerShell model has existed and run the following commands (AD module is required as well):
Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1"; $aadAdminCred = Get-Credential; Initialize-ADSyncDomainJoinedComputerSync –AdConnectorAccount [connector account name] -AzureADCredentials $aadAdminCred;
About “connector account name” value you to have open the Synchronization Service and check what is the Azure Connector.
Once it is done, go back to your PC and restart your computer, Run through CMD dsregcmd.exe \status again, and now AzureadJoined supposed to be YES.
Nowadays only Internet Explorer and Edge are supported forSSO.
For any other troubleshooting, you can run from the client “Dsregcmd.exe \debug” and then gather a useful information and status what’s going on, BTW, You can see how many “Devices” has to the users, in Azure go to users and then select a user, then select “Device” and you will see any machine that belongs to that particular user.
Many thanks to Tomer Ktzir from U-BTech.