Azure AD: Azure AD Join vs. Workplace Join

  • 2.5K Views
  • Last Post 05 December 2015
barkills posted this 04 December 2015

Does anyone understand the difference between these DeviceTrustType values?   The published documentation around the Azure Device Registration Service and Azure AD Workplace Join seems to be focused on Windows 7 and Windows 8.1, not Windows 10. That documentation talks about two requirements, ADFS3 or newer and a creating a very specific DNS record pointed at a Microsoft host to enable AAD Workplace Join. These requirements are not apparently required for Windows 10, because I have neither in my environment, but a quite a few Windows 10 devices that have managed to do the AAD Workplace Join. To be clear, these are not Windows 10 devices that have done the AAD Device Join.

  I was caught very off-guard when I discovered Windows 10 devices using this to do an AAD Workplace Join, because I naturally assumed that since we met neither of the requirements for AAD Workplace Join, it wasn’t possible. L   And yes, these are two different DeviceTrustType values. You can see examples of both in the blog post on the preview version of the msonline powershell module.   If someone understands this space, or has links to share that might explain this, I’m all ears. J I’m most interested in hearing:
a) what’s the difference in capabilities between the two types of “joins”? and why would you prefer one over another? b) why does Windows 10 not need the requirements that prior Windows versions needed? And a corrolary, will prior Windows versions continue to need those requirements for much longer?   -B

Order By: Standard | Newest | Votes
joe posted this 04 December 2015

Good questions! I'm still trying to get up to speed with the Windows 10 behavior stuff but I'll do my best to shed some light.
Just to clarify first, these machines are "AAD joined" and not "add a workplace account" (workplace) joined, right?
My expectation here is that AAD join would do a device registration operation similar to workplace join in that the device would end up with a certificate and a device object in AAD. However, I don't really understand how the discovery mechanism works with AAD join or how you manage that in your tenant either. It would not surprise me if it worked without having to create the enterpriseregistration.<yourtenant> DNS entry.
One of the very confusing parts of Windows 10 workplace join is that there is different functionality depending on which build you are using. The original builds uses the same type of registration approach as Windows 8.1 but the new stuff adds in the integration with the NG creds (Passport) stuff and also uses different discovery mechanisms in the enterprise (a service connection point instead of a DNS entry to be more precise).
My not too thorough understanding of AAD Join is that it essentially takes over the device login while workplace join does not. Workplace join simply allows a device to be authenticated as part of the authentication flow and then to allow the admin to apply policy based on the device and not just the user. For example, a user could log in to a cloud app and the cloud app could be configured in Azure AD or ADFS to only allow access to users with a registered device (or perhaps a device that is known to be managed or compliant). However, the user isn't necessarily getting single sign on in that they'll need to type in a username and password in a login screen.
I suspect this is a partially helpful answer at best. :)
Joe K.


show

ZJORZ posted this 05 December 2015

I got the following: please see this document and see if it answers the question: https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-windows10-devices-overview/. The first overview document on that section talks about the differences: https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-windows10-devices/  

show

ZJORZ posted this 05 December 2015

I got the following: please see this document and see if it answers the question: https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-windows10-devices-overview/. The first overview document on that section talks about the differences: https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-windows10-devices/  

show

Close