Understanding AADJ vs AADR

As you can imagine things have recently changed quite a bit in the modern workplace. People working from home has pushed the adoption of working remotely across the world. These days it can become a bit convoluted on how to manage an employee’s device, whether personal or company-owned. To clear some of the confusion, there are two concepts you’ll need to understand. Azure AD joined (AADJ) and Azure AD registered (AADR). This guide ultimately focuses on how to properly Azure AD join a device, but you’ll first need a breakdown of the difference between AADJ and AADR.  

Think of AADR as:  

  • Azure AD identifying your device but not requiring a corporate identity to authenticate into the device.  

  • Corporate authentication is needed when accessing company data (SharePoint, OneDrive, Teams, Outlook, etc.) 

  • Typically used for BYOD or non-corporate devices  

  • Used for meeting the minimum compliance or security requirements to access company resources. (Limited management with supervision over company data, not device) 

Think of AADJ as: 

  • Azure AD identifying your device and requiring a corporate identity to authenticate into the device. 

  • Corporate authentication is required to log on to the machine for accessing all company data. 

  • Typically used for corporate only devices 

  • Full management over the device with Intune. (Cool features: Autopilot, Windows Hello, & Self-Service password) 

So, we now have a better understanding of the two concepts. Let’s take a deeper dive into how we can Azure AD join a device and automatically import the hardware hash ID without manually uploading.

 

1.1 Configure your Windows Autopilot settings to automatically convert devices

  1. This is where the magic happens. With this feature enabled, all Azure AD joined devices will automatically have their hash ID imported into Intune’s device repository. Navigate to endpoint.microsoft.com to configure your Autopilot profile to target all devices associated to your assigned Autopilot Device Group.

 

1.2 Join Azure AD 

2. Click start and type “Connect to work or school” and click the setting that comes up 

3. Click connect in the setting menu that opens 

4. At the bottom of the Microsoft Account window, click “Join this device to Azure Active Directory”


5. In the next window, type the e-mail address of the account belonging to the domain you want to join.  

6. Take the proper steps for 2-factor authentication if necessary. 

7. Confirm that all organization information is correct, and click “Join”

1.3 Confirm Azure AD 

8. Confirm the device is Azure AD Joined by launching an elevated PowerShell prompt and typing “dsregcmd /status” This will display the current AAD joined status.

9. Once confirmed on the device, navigate to portal.azure.com to view the device status showing “Azure AD Joined.”


1.4 Account Setup  

10. At this point, migration is completed. Have the user sign in using their Company O365 credentials (Note: Please make sure all data is backed up before logging in).

1.5 Sync Windows Devices 

11. Every device that is AAD joined, and a member of your Windows Autopilot group (In this case Autopilot Devices Dynamic Group) will automatically import a Hardware Hash ID into the Window Devices repository.

12. After confirming the device as a member of your Autopilot group, run a sync in Windows Devices and you will see the device hardware hash ID imported into the repository (This last part can take from 15-20mins for it to populate).

Congratulations! In addition to learning how to successfully Azure AD join a device without manually importing the hash, you can now discern the difference between AADJ & AADR and determine which endpoint management best fits your environment based on what I’ve provided you.

 

Conclusion 

Are you taking advantage of all the modern capabilities of Microsoft 365? There are a ton of new features that can improve your employee experience and increase security. If you are curious about leveraging all the potentials, consider our Modern Work Accelerator. It’s a quick one-day consulting engagement designed to help you identify areas of strength and weakness in your IT. The program will give you insights on where you can make improvements and get quick wins. 

 


 

 Contact us to learn more!