none
On premises workstations appearing as Azure Domain joined in All Devices RRS feed

  • Question

  • I have Office 365 E3 subscriptions for employees, linked to an AAD tennant.  No other services are active, the AAD is not federated and there is no ADSync with our on premises Active Directory domain.  MDM for Office 365 is enabled via an unmodified "Default MDM Policy by Office 365" which applies to the Default MDM security group.  The later includes all Office 365 licensed users.

    In checking the "Managed Devices" page recently (in O365 Admmin center, or AAD Dashboard, All devices), two active directory, domain-joined workstations are present as Join Type "Azure AD registered". Each machine is Windows 10 Enterprise v 1703 or 1709 and is shown in the portal as owned by the user to whom the workstation is assigned.  Both have blank "Last Sync Times" and status of "Unknown" in O365 MDM.

    The workstations are not AAD joined, as confirmed by running dsregcmd /status locally.  However, in W10 Accounts, there is a work or school account for the "owner" in addition to the domain account.  There is no "info" button on the work or school account, just a delete.

    I have been unable to establish how these devices have become registered on the AAD MDM portal.  If anyone could help explain what might be going on, I would be grateful.  I admit to a total lack of understanding on this topic.

    Thanks


    • Edited by Andy_of_MERL Monday, February 26, 2018 3:57 PM
    • Moved by Ajay Kadam Monday, February 26, 2018 7:20 PM better fit
    Monday, February 26, 2018 3:56 PM

Answers

  • configuring work or school account give the users the possible in the first screen to join AAD regardless if the Machine is Ad domain joined or Not.


    • Proposed as answer by Cloud_Crusader Sunday, April 29, 2018 12:04 PM
    • Marked as answer by Andy_of_MERL Monday, April 30, 2018 7:00 AM
    Friday, April 20, 2018 11:42 PM

All replies

  • Is it possible you have "Users may register their devices with Azure AD" as shown here - https://docs.microsoft.com/en-us/azure/active-directory/device-management-azure-portal#configure-device-settings

    and a user has manually registered the device like here https://docs.microsoft.com/en-us/azure/active-directory/device-management-azuread-registered-devices-windows10-setup ?

    Or are the users using Office 365? When they sign into Office 365 with their Azure AD account, its possible that they got the prompt to "Add this account to Windows" which registered the machine in Azure AD.
    Monday, March 12, 2018 10:46 PM
  • Thanks Nick,

    Users are permitted to register devices (so they can add phones).  There are some phones registered and controlled by policy.  The users of the domain joined workstations claim not to have knowingly tried to join their workstation to the "Work or School account", but I can't rule out the "Addthis account to Windows" route that you mention.

    I think my big weakness in understanding is whether a domain joined Windows 10 client can also be joined to AAD when there is no ADSync between the onprem and azure domains. I've tried to read all the relevant MS documentation, but I just remain confused!

    Tuesday, March 13, 2018 9:28 AM
  • configuring work or school account give the users the possible in the first screen to join AAD regardless if the Machine is Ad domain joined or Not.


    • Proposed as answer by Cloud_Crusader Sunday, April 29, 2018 12:04 PM
    • Marked as answer by Andy_of_MERL Monday, April 30, 2018 7:00 AM
    Friday, April 20, 2018 11:42 PM
  • MS account schemes are getting too complex for the SME "admin in the street", or at least for me!  I struggled to find concise documentation that sets out and compares options.  This is the best summary I found yet:

    https://blogs.technet.microsoft.com/mniehaus/2018/01/19/afraid-of-windows-10-with-azure-ad-join-try-it-out-part-1/

    In comments at the bottom, the author states " It can only be joined to AD or AAD. If you join it to AD, the “join to AAD” link disappears; if you join it to AAD, the “join to AD” link disappears. If you have an AD-joined machine, it can be registered with AAD to get you the “best of both worlds,"...."

    I think that the domain machines in question "registered" with AAD (not "joined") when a user ran through the Office 365 sign on and selected to link the account with the machine as Nick posted above


    • Edited by Andy_of_MERL Monday, April 30, 2018 7:01 AM added a reference to post above
    Monday, April 30, 2018 7:00 AM