Azure Active Directory Join BIAS Alessandro Baggiossi Marco Saracco

Agenda • Device and User Identity Overview • Azure AD Bias • Q&A

Target Audience People who are interested in approaching the Azure AD Joins. People worried about the consequences on enabling Azure AD Join within infrastructure.

Device and User Identity Overview

Device Identity (Join Types) Hybrid Azure AD Join (HAADJ) • AD on-prem join • Registered in Azure AD • Needs DC to authenticate users • Users log on with domain account Azure AD Join (AADJ) • Joined on Azure AD • No needs DC to authenticate the users • Users log on with domain account Azure AD Registration • BYOD scenarios • Requires Azure AD User account for access to organizational resources • Users use Local Account or Microsoft account to login

User Identity User On-Prem • User exists on AD database • User can access on-prem resources • User cannot access cloud resources. Hybrid User • User exists on AD database • User synced with AD Connect to Azure AD • User can access on-prem resources • User can access cloud resources Cloud User • User exists only on Azure AD • User can access cloud resources • User cannot access on- prem resources

Logon scenarios HAADJ AADJ On-prem User Hybrid User Cloud User Primary Identity Providers (who authenticates the logon user) • Hybrid Azure AD Join Active Directory • Azure AD Join Azure Active Directory

Azure AD Bias

Bias #1 Hybrid Users on AADJ computers cannot access to on-prem resources! False!

Bias #1 Hybrid Users on AADJ computers CAN ACCESS on-prem resources Details: • Azure AD sends user domain information with PRT. • Computer requests a User TGT if it has a line of sight with the DC. • User can access to on-prem resources: • using Kerberos or NTLM • Web app that are configured for WIA https://docs.microsoft.com/en-us/azure/active-directory/devices/azuread-join-sso

Bias #2 Hybrid Users on AADJ computers with Hello for Business cannot access to on-prem resources… False!

Bias #2 Hybrid Users on AADJ computers with Hello for Business CAN ACCESS on-prem resources! WHfB must validates Kerberos response from DC: • Kerberos Auth Certificate installed on DCs • CRL Published and available on Azure AD Joined client. • Root/intermediates Certificate installed on AAD Clients. https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base

Bias (#1 - #2) Cautions Any authentication based on Computer Account in Active Directory it won’t work. Some examples: - File share with Computer Account grants - WiFi/LAN Authentication with Computer account grants (Radius) - Applications that rely on Computer Account Authentication

Bias #3 I can’t manage AADJ devices, I don’t have GPOs! False!

Bias #3 I CAN manage AADJ devices Azure AD Joined Devices are managed through MDM: • Intune Standalone • Intune and ConfigMgr in co- management • Any 3rd party MDM that supports CSP Policies deployments. Remember, only MDM Policies return a feedback status about the deployment.

Bias #4 I use computer or user certificates, AADJ computers cannot auto-enroll certificates! False!

Bias #4 Certificates CAN be enrolled! Certificates from Internal Certification Authority can be enrolled on MDM managed devices. • Root and Intermediate are deployed via MDM Policies • Certificates can be deployed via MDM Policies using: • SCEP • PKCS https://docs.microsoft.com/en-us/troubleshoot/mem/intune/troubleshoot-scep-certificate-profiles#scep- communication-flow-overview

Bias #5 I can’t connect to an AADJ device using RDP! False!

Bias #5 I CAN use RDP for connecting to a remote AADJ Device Both PCs must be running Windows 10, version 1607 or later. Your source device must be either: • Azure AD-joined • Hybrid Azure AD-joined • Azure AD registered (from W10 2004) Both source and destination devices must be joined to the same Azure AD Tenant. Bonus: Firewall for domain profile on AAD Joined devices does not exist!

Why AAD Joined is better than HAADJ • Users can access to AAD Joined devices from anywhere: • First Logon Authentication can be completed without the line of sight with a Domain Controller. (Good with Intune Autopilot process). • You want to provide joining capabilities to workers in remote branch offices with limited on-premises infrastructure (Simple network topology) • No Need for a VPN or being in Corporate Network to receive configurations (MDM Management required).

Session takeways • We had a recap of Azure AD Join Types and User identities • We spoke about common Azure AD Join BIAS • We have mentioned some of the benefits about the Azure AD Join

Q&A