Step-by-Step guide to connect down-level devices to Azure AD (in hybrid environment)

Devices runs with Windows 10 and Windows Server 2016 can directly connect to Azure AD. I have used it on my last few posts and explain different features available for Domain Joined Devices. However not every device in an infrastructure runs with Windows 10 or Windows Server 2016. If it is cloud only environment, you can simply connect your VMs in Azure to Azure AD without issue. but if it is remote devices you do not have option than upgrading to windows 10 and windows 2016. In Hybrid Environment with some configuration changes, Azure AD allow to join devices runs with, 

• Windows 8.1

• Windows 7

• Windows Server 2012 R2

• Windows Server 2012

• Windows Server 2008 R2

In this demo, I am going to explain how we can connect these down-level devices to Azure AD. 

If it is hybrid environment, it will be either federated or non-federated environment. In this post, I am only going to focus on non-federated environment. The configuration and prerequisites are different from one method to another. 

In non-federated environment, 

1. You must have healthy AD synchronization using Azure AD Connect

2. If you are using Seamless single sign-on with Azure AD Connect, it is still supported configuration. more info about it can find using http://www.rebeladmin.com/2017/09/azure-active-directory-seamless-single-sign-azure-ad-seamless-sso/ 

3. If down-level devices are using roaming profiles it is not going to work with Azure AD. In that case you need to move to Windows 10

4. You need to have Azure Global Administrator Account and Domain Admin Account to do the configuration changes. 

Create Service Connection Point 

 

First step of the configuration is to create service connection point (SCP) in local AD so devices can discover Azure AD tenant information during the registration process. 

In order do that we need to run following PowerShell script in Azure AD Connect server. 




Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1";




$aadAdmin = Get-Credential;




Initialize-ADSyncDomainJoinedComputerSync –AdConnectorAccount [AD connector account] -AzureADCredentials $aadAdmin;

 

In above,

 

$aadAdmin – Parameter is to represent the Azure AD admin account used in the configuration. 

 

[AD connector account] – This should replace with the AD account used for Azure AD Sync

 

Note – 

• This must run from the server you have AD Connect configured

• It is recommended to run it from Microsoft Azure Active Directory Module for PowerShell tool. If you use it you do not need to import the module. 

• You must have AD DS tools installed on the same server otherwise command will fail. 

 

 

Verify Service Connection Point Details

 

After you run the command successfully we can verify SCP using,




$scp = New-Object System.DirectoryServices.DirectoryEntry;




$scp.Path = "LDAP://CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=therebeladmin,DC=com";




$scp.Keywords;

 

In above DC=therebeladmin,DC=com represents the domain. 

 

If it was successful, you will get response like below. 

 

 

Allow Users to Join Devices to Azure AD

 

Before you joined the devices, first verify if you allow users to connect devices to Azure AD. 

To do that, 

 

1. Log in to Azure Portal

2. Go to Azure Active Directory 

3. Then Devices

 

 

4. Then click on Device Settings

 

 

5. Then the settings can find under, User may join devices to Azure AD option. In my demo setup, I am allowing all the users to join devices. 

 

 

Join down-level devices to Azure AD

 

Now we have all the prerequisites ready. Next step is to register device with Azure AD. In my demo, I have a VM which runs Windows 8.1. I am going to add it to Azure AD.

 

1. Log in to the Device as Administrator

 

2. Download msi from https://www.microsoft.com/en-us/download/details.aspx?id=53554  

 

 

3. Double click on the MSI after download and click on Install to proceed. 

 

 

Note – This VM is already part of the local domain. 

 

4. Then go to Start > Search > PC Settings after that click on Network 

 

 

5. The click on Workplace > Join

 

 

6. It will prompt for the login and provide the relevant password. 

 

 

7. After successful join, it will show following

 

 

8. Now I can see the device under Azure AD Devices. 

 

 

This marks the end of this blog post. Hope this was useful. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.