#workplace join

Workplace Join and Azure Active Directory Device Join (or Device Registration) are complimentary technologies that provide a solid foundation for device identity and access to both on-premises and cloud hosted resources. The way these two offerings are presented are often at odds. Let's take a look at both offerings and show how and why they make sense together.

Workplace Join

What is Workplace Join? The TechNet article Join to Workplace from Any Device for SSO and Seamless Second Factor Authentication Across Company Applications provides a nice overview.

By using Workplace Join, information workers can join their personal devices with their company's workplace computers to access company resources and services. When you join your personal device to your workplace, it becomes a known device and provides seamless second factor authentication and Single Sign-On to workplace resources and applications.

That sounds nice. Seamless second factor authentication and SSO is nothing to snub your nose at, especially in an enterprise environment where timely access to corporate resources is critical to the success of your business. Imagine a user who utilizes Outlook for iOS who no longer needs to enter their password when you send a link to a document on your Office 365 portal? If you save that employee 30 seconds every time they browse to a document from email, imagine how much time you've bought them over the course of a day. That's just one employee. What if you could allow your entire workforce to experience the same capability?

So where does Azure Active Directory's Device Registration service fit into all of this?

Azure Active Directory Device Registration service

Now that we're sold on the benefits of device registration, we have to understand how Azure Active Directory underpins the Workplace Join functionality.

The previously mentioned TechNet article Join to Workplace from Any Device for SSO and Seamless Second Factor Authentication Across Company Applications also provides a nice overview of how the two services interact.

Workplace Join is made possible by the Azure Active Directory Device Registration service. When a device is joined by Workplace Join, the service provisions a device object in Azure Active Directory and then sets a key on the local device that is used to represent the device identity. This device identity can then be used with access control rules for applications that are hosted in the cloud and on-premises.

On-premises and The Cloud™: Better Together

If your organization is leveraging Office 365 and licensed under any commercial subscriptions (including Business, Enterprise, EDU and Government), you have access to the mobile device management (MDM) capabilities of Office 365 as a part of your license.

Now, I can hear you saying "But wait, you just told me I need to have Azure Active Directory for this to work!".

I did.

If you're on Office 365 you already have an Azure Active Directory tenancy driving your Office 365 subscription. Let me repeat that again. If you have Office 365 subscription, you have an Azure subscription and an Azure Active Directory tenancy within that subscription today.

To drive that home, let’s take a look at an AAD tenant that drives an Office 365 E3 tenant. In that case, you cannot even disable Workplace Join, as it is an included feature of your Office 365 subscription and automatically enabled.

Enrollment with Microsoft Intune or Mobile Device Management for Office 365 requires Workplace Join. If you have configured either of these services, ALL will be selected and the button will be disabled.

With Workplace Join enabled, the magic happens when you select which users can AD Join devices. Your choices are All, Selected or None.

At this point, if you have the right DNS records in place for enterprise registration, users can begin registering devices against Azure Active Directory and those devices will be subject to any Conditional Access Device Policies for Office 365 services that have been configured.