Az104 — Azure Device Identity
· Device identity in Azure Active Directory (Azure AD) helps you control the devices that you add to your organization’s Azure AD instance.
· It also helps you control the data, resources, and assets that those devices can access.
· It provides a framework to implement device-based conditional access.
· You can use a device-based conditional access policy to limit device access to your organization’s assets.
· Tools such as Microsoft Intune can enhance what’s known about a device by ensuring compliance with organizational requirements.
· You have three device registration options to add a device to Azure AD:
o Azure AD registered:
§ These devices fall into the Bring Your Own Device (BYOD) category.
§ They’re typically privately owned, or they use a personal Microsoft account or another local account.
§ This method of device registration is the least restrictive because it supports devices running Windows 10, iOS, iPadOS, Android, and macOS.
§ Device security is typically provided from a password, a PIN, a pattern, or Windows Hello.
o Azure AD joined:
§ These devices are owned by your organization.
§ Users access your cloud-based Azure AD instance through their work account.
§ Device identities exist only in the cloud.
§ This option is available only to Windows 10 or Windows Server 2019 devices.
§ Windows Server 2019 Server Core installation isn’t supported.
§ Security for this option uses either a password or Windows Hello.
o Hybrid Azure AD joined:
§ This option is similar to Azure AD joined.
§ The devices are owned by the organization, and they’re signed in with an Azure AD account that belongs to that organization.
§ Device identities exist in the cloud and on-premises.
§ The hybrid option is better suited to organizations that need on-premises and cloud access.
§ This option supports Windows 7, 8.1, and 10, and Windows Server 2008 or later.
· Conditional access evaluates the signals and provides a decision:
- Block access, which is the most restrictive.
- Grant access, which is the least restrictive but might require additional criteria before allowing access.
· Those criteria can be one or more of:
- Multifactor authentication
- Device marked as compliant
- Device that’s hybrid Azure AD joined
- Approved application
- Need for an app protection policy
o
· Using the Azure AD joined or hybrid option limits you to using a Windows-based or Windows Server-based operating system on the device.
· Conditional access requires an Azure AD Premium P1 license or a Microsoft 365 Business license.
· Azure AD join works with Windows 10 or Windows Server 2019 devices.
· Windows Server 2019 Server Core installation isn’t supported.
· If you’re using an earlier Windows operating system, you’ll need to upgrade to Windows 10 or Windows Server 2019.
· Decide what identity infrastructure model best supports your organization’s needs:
- Managed environment: This environment uses pass-through authentication or password hash sync to provide single sign-on (SSO) to your devices.
- Federated environments: These environments require the use of an identity provider. That provider must support the WS-Trust and WS-Fed protocols for Azure AD join to work natively with Windows devices. WS-Fed is required to join a device to Azure AD. WS-Trust is needed to sign in to an Azure AD joined device.
- Smart cards and certificate-based authentication: These methods aren’t valid ways to join devices to Azure AD. But, if you have Active Directory Federation Services configured, you can use smart cards to sign in to Azure AD joined devices. We recommend that you use a service like Windows Hello for Business, which supports passwordless authentication to Windows 10 devices.
- Manual user configuration: If you create users in your on-premises Active Directory instance, you need to synchronize the accounts to Azure AD by using Azure AD Connect. If you create users in Azure AD, no additional setup is needed.
· The latest versions of Windows 10 have a built-in MDM client that works with all compatible MDM systems.
