Azure servicesMicrosoft Technologies

Step-by-Step guide to connect down-level devices to Azure AD (in hybrid environment)

Devices runs with Windows 10 and Windows Server 2016 can directly connect to Azure AD. I have used it on my last few posts and explain different features available for Domain Joined Devices. However not every device in an infrastructure runs with Windows 10 or Windows Server 2016. If it is cloud only environment, you can simply connect your VMs in Azure to Azure AD without issue. but if it is remote devices you do not have option than upgrading to windows 10 and windows 2016. In Hybrid Environment with some configuration changes, Azure AD allow to join devices runs with, 

Windows 8.1

Windows 7

Windows Server 2012 R2

Windows Server 2012

Windows Server 2008 R2

In this demo, I am going to explain how we can connect these down-level devices to Azure AD. 

If it is hybrid environment, it will be either federated or non-federated environment. In this post, I am only going to focus on non-federated environment. The configuration and prerequisites are different from one method to another. 

In non-federated environment, 

1. You must have healthy AD synchronization using Azure AD Connect
2. If you are using Seamless single sign-on with Azure AD Connect, it is still supported configuration. more info about it can find using http://www.rebeladmin.com/2017/09/azure-active-directory-seamless-single-sign-azure-ad-seamless-sso/ 
3. If down-level devices are using roaming profiles it is not going to work with Azure AD. In that case you need to move to Windows 10
4. You need to have Azure Global Administrator Account and Domain Admin Account to do the configuration changes. 

Create Service Connection Point 
 
First step of the configuration is to create service connection point (SCP) in local AD so devices can discover Azure AD tenant information during the registration process. 
In order do that we need to run following PowerShell script in Azure AD Connect server. 

Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1";

$aadAdmin = Get-Credential;

Initialize-ADSyncDomainJoinedComputerSync –AdConnectorAccount [AD connector account] -AzureADCredentials $aadAdmin;
 
In above,
 
$aadAdmin – Parameter is to represent the Azure AD admin account used in the configuration. 
 
[AD connector account] – This should replace with the AD account used for Azure AD Sync
 
Note – 
This must run from the server you have AD Connect configured
It is recommended to run it from Microsoft Azure Active Directory Module for PowerShell tool. If you use it you do not need to import the module. 
You must have AD DS tools installed on the same server otherwise command will fail. 
 
Azurec1
 
Verify Service Connection Point Details
 
After you run the command successfully we can verify SCP using,

$scp = New-Object System.DirectoryServices.DirectoryEntry;

$scp.Path = "LDAP://CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=therebeladmin,DC=com";

$scp.Keywords;
 
In above DC=therebeladmin,DC=com represents the domain. 
 
If it was successful, you will get response like below. 
 
Azurec2
 
Allow Users to Join Devices to Azure AD
 
Before you joined the devices, first verify if you allow users to connect devices to Azure AD. 
To do that, 
 
1. Log in to Azure Portal
2. Go to Azure Active Directory 
3. Then Devices
 
Azurec3
 
4. Then click on Device Settings
 
Azurec4
 
5. Then the settings can find under, User may join devices to Azure AD option. In my demo setup, I am allowing all the users to join devices. 
 
Azurec5
 
Join down-level devices to Azure AD
 
Now we have all the prerequisites ready. Next step is to register device with Azure AD. In my demo, I have a VM which runs Windows 8.1. I am going to add it to Azure AD.
 
1. Log in to the Device as Administrator
 
 
Azurec6
 
3. Double click on the MSI after download and click on Install to proceed. 
 
Azurec7
 
Note – This VM is already part of the local domain. 
 
4. Then go to Start > Search > PC Settings after that click on Network 
 
Azurec8
 
5. The click on Workplace > Join
 
Azurec9
 
6. It will prompt for the login and provide the relevant password. 
 
Azurec10
 
7. After successful join, it will show following
 
Azurec11
 
8. Now I can see the device under Azure AD Devices. 
 
Azurec12
 
This marks the end of this blog post. Hope this was useful. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Related posts
Azure services

Microsoft Entra Permissions Management – Part 01 – Azure Subscription Onboarding

Today’s rapidly changing digital landscape creates new identity and access challenges. Microsoft…
Read more
Cyber SecurityMicrosoft Entra IDMicrosoft Technologies

Microsoft Entra lifecycle workflows Part 02 - How to synchronize value for employeeHireDate attribute from on-premises Active Directory ?

In my previous blog post, I explained how we can automate JML (Joiners/Movers/Leavers) process by…
Read more
Azure servicesMicrosoft Entra IDMicrosoft Technologies

Step-by-Step Guide : Automate JML(Joiners/Movers/Leavers) process with Microsoft Entra lifecycle workflows

JML (Joiners/Movers/Leavers) process of an organization has a major impact on its security and…
Read more
Newsletter
Become a Trendsetter

Sign up and get the best of RebelAdmin, tailored for you.

Leave a Reply

Your email address will not be published. Required fields are marked *