Microsoft Azure – Azure Active Directory Device registration in preview

Another new coming feature on Azure Active Directory service: Device registration.

You may be already aware that with Windows Server 2012 R2, Windows 8 and ADFS 3.0, Microsoft has introduced a new feature to allow/simplify the BYOD – Bring Your Own Device – and access corporate resources (and corporate Windows App) WITHOUT being obliged to join the domain, called Workplace Join

Now, this feature is in preview on Azure too. The aim for this cloud device registration service is more to deliver a way for administrator to view the registered devices (and so the user associated with) than to provide a real cloud solution for this feature, as you still need to deploy ADFS 3.0 on your On Premises.

Prerequisites

You should have already configured directory synchronization with Azure Active Directory; for those who are already using Office 365 synchronized with your AD, this is already done. For the other, just follow the same configuration steps than for integrating AD with Office 365. NOTE the Directory Synchronization tool version used for this service MUST be 1.6862.0000

Enabling AADDR

• Logon to you Azure administration portal – https://manage.windowsazure.com/
• Go to the Directory section

• Then click on your Azure Active Directory and go to the Configure section

• Reach the Device Registration section to enable – if you already have different AAD features available (like multi factor authentication) you may have to  scroll down

• Then you have to define how many personal device a user can join to the workplace and if you have multi factor authentication feature enabled, if this has to be used when joining the workplace

That’s it, you are ready for cloud Workplace join feature

Next step is to implement the service discovery – off course; without this, there will be no way to use this feature.

To do so, you must create a DNS record which point to the Azure service – this is exactly the same requirement than for On Premises Workplace Join feature.

The DNS record is called enterpriseregistration on the domain used by your user (the part after the @) and must point to enterpriseregistration.windows.net

The final steps are to deploy and configure federation services 3.0 without the option Configure a federation server with Device Registration Service (DRS), as this deployed at the Azure level, on your environment and federate with Azure Active Directory.

This part is not covered by this post as there is already a lot of resources available to deploy/configure ADFS 3.0.

Using the Azure Active Directory Powershell module, run the command Enable-MSOnlineObjectManagement –ObjectTypes Device –TargetCredentials $AADCreds to enable the device object feature.

Tada, starting then your users can register their Windows 8 or iOS client (for iOS they must use https://enterpriseregisration.windows.net/enrollmentserver/otaprofile/<yourdomainname> URL).

View registered device

From the Azure Management portal, go to your Active Directory and from the Users tab, click on a user account

Below the Device tab, you will see the device(s) they have registered – NOTE you may have to use the drop down menu to switch to the Registered devices view