Azure AD Integration in Windows 10 – What does it mean to have a orgID Cloud Identity

From IIW

Azure AD integration in Windows 10

Tuesday 3G

Convener: Vickey Milton

Notes-taker(s): Susan Carevic

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

What has Microsoft done in Windows 10:

Who owns this PC?

Windows Account Types:

Administrator or Standard User

Windows 8: More types of accounts:

Local: can be converted to a MSA account. Can also be decoupled.

Microsoft account (MSA) : Cloud account. Uses OAuth, Open IDConnect, Cloud Identity, password management in cloud, but can be synced locally. Microsoft is the identity provider. Consumer account for Microsoft apps.

Domain Account (AD) : Comes with AD. Organizational identity. Off the box trust authority for windows in general. Centralized management, gets tokens from AD, uses Kerberos.

Azure AD Accound (AAD): built to support O365 (No guest account)

With windows 10,integrated AAD account with AD.

Tenant: small business customer: business relationship and their name space (Domain Name).

In Federated world, Azure AD would still use AD for token by using federation. Joining is a device concept.

Domain Account can not coexist with Azure AD account.

MDM: used to centrally manage devices. Big vendors of this use AD Azure directory.

Can’t use group policy on an AAD, what permissions override? Windows 10 only supports one MDM instance per device. Windows team looking at layering MDM.. most stricteset policy will win.

IIW21 Win.jpg

AAD integrates into the operating system.. no shadow account:

  • Treated more like AD as MSA, so that a corporation has control over its identities.
  • Wanted to enable new provisioning models: could we provision with my identity? Could this be brought to corporations?
  • When you buy a new machine and login with Windows 10 professional. AAD – it will download all corporate policies without corporations doing a thing.
    • Open up new computer with Win10 pro: asked “who owns this PC”?
      • Letting user buy an enterprise device: does this device belong to you or your organization?
        • Question doesn’t come up with Windows Enterprise, only on Professional version
      • Let's you join a domain
      • Enter work account email : when this is done, computer asks in Azure AD if the organization is the tenant, otherwise redirected on prem.
        • If tenant found, passes org information down to machine, passes down branded ICON. If Azure AD is federated, AAD asks the computer to go to ADFS for credentials. User will be taken to sign-in page for organization. Person redirected to organization’s logon page.
          • Otherwise user enters password to join Azure.
        • Once authenticated into organization, Token added to device
        • Azure adds token to MDM server of organization and displaces Terms and Conditions (Ts and Cs) for Organization: This is “the cliff”, once you do this, your device is managed. ****User can unjoin if they made a mistake.

User Accepts: device registered, policies laid down, MDM enrolls device.

Whole flow is web driven, so that it can be changed.

Does Win 10 allow you to use something other than a password? Yes, but need a password too. Users are used to seeing a password field. Users understand two fields together, even though we know we want to get rid of passwords. Federates with AD, will it federate with other IDPs beyond ADFS? - yes it does, but no other service provider can be the core IDP.