Step-by-Step guide to connect down-level devices to Azure AD (in hybrid environment)

Devices runs with Windows 10 and Windows Server 2016 can directly connect to Azure AD. I have used it on my last few posts and explain different features available for Domain Joined Devices. However not every device in an infrastructure runs with Windows 10 or Windows Server 2016. If it is cloud only environment, you can simply connect your VMs in Azure to Azure AD without issue. but if it is remote devices you do not have option than upgrading to windows 10 and windows 2016. In Hybrid Environment with some configuration changes, Azure AD allow to join devices runs with, 

Windows 8.1

Windows 7

Windows Server 2012 R2

Windows Server 2012

Windows Server 2008 R2

In this demo, I am going to explain how we can connect these down-level devices to Azure AD. 

If it is hybrid environment, it will be either federated or non-federated environment. In this post, I am only going to focus on non-federated environment. The configuration and prerequisites are different from one method to another. 

In non-federated environment, 

1. You must have healthy AD synchronization using Azure AD Connect
2. If you are using Seamless single sign-on with Azure AD Connect, it is still supported configuration. more info about it can find using http://www.rebeladmin.com/2017/09/azure-active-directory-seamless-single-sign-azure-ad-seamless-sso/ 
3. If down-level devices are using roaming profiles it is not going to work with Azure AD. In that case you need to move to Windows 10
4. You need to have Azure Global Administrator Account and Domain Admin Account to do the configuration changes. 

Create Service Connection Point 
 
First step of the configuration is to create service connection point (SCP) in local AD so devices can discover Azure AD tenant information during the registration process. 
In order do that we need to run following PowerShell script in Azure AD Connect server. 

Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1";

$aadAdmin = Get-Credential;

Initialize-ADSyncDomainJoinedComputerSync –AdConnectorAccount [AD connector account] -AzureADCredentials $aadAdmin;
 
In above,
 
$aadAdmin – Parameter is to represent the Azure AD admin account used in the configuration. 
 
[AD connector account] – This should replace with the AD account used for Azure AD Sync
 
Note – 
This must run from the server you have AD Connect configured
It is recommended to run it from Microsoft Azure Active Directory Module for PowerShell tool. If you use it you do not need to import the module. 
You must have AD DS tools installed on the same server otherwise command will fail. 
 
Azurec1
 
Verify Service Connection Point Details
 
After you run the command successfully we can verify SCP using,

$scp = New-Object System.DirectoryServices.DirectoryEntry;

$scp.Path = "LDAP://CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=therebeladmin,DC=com";

$scp.Keywords;
 
In above DC=therebeladmin,DC=com represents the domain. 
 
If it was successful, you will get response like below. 
 
Azurec2
 
Allow Users to Join Devices to Azure AD
 
Before you joined the devices, first verify if you allow users to connect devices to Azure AD. 
To do that, 
 
1. Log in to Azure Portal
2. Go to Azure Active Directory 
3. Then Devices
 
Azurec3
 
4. Then click on Device Settings
 
Azurec4
 
5. Then the settings can find under, User may join devices to Azure AD option. In my demo setup, I am allowing all the users to join devices. 
 
Azurec5
 
Join down-level devices to Azure AD
 
Now we have all the prerequisites ready. Next step is to register device with Azure AD. In my demo, I have a VM which runs Windows 8.1. I am going to add it to Azure AD.
 
1. Log in to the Device as Administrator
 
 
Azurec6
 
3. Double click on the MSI after download and click on Install to proceed. 
 
Azurec7
 
Note – This VM is already part of the local domain. 
 
4. Then go to Start > Search > PC Settings after that click on Network 
 
Azurec8
 
5. The click on Workplace > Join
 
Azurec9
 
6. It will prompt for the login and provide the relevant password. 
 
Azurec10
 
7. After successful join, it will show following
 
Azurec11
 
8. Now I can see the device under Azure AD Devices. 
 
Azurec12
 
This marks the end of this blog post. Hope this was useful. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Share and Enjoy:
  • Print
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • LinkedIn
  • Live
  • RSS
  • StumbleUpon
  • Twitter

Leave a Reply

Your email address will not be published. Required fields are marked *