- September
Posted By : Zeng Yinghua (Sandy)
Devices Management: Azure AD Join vs. Azure AD Device Registration vs. Domain Join

For start, please read this article https://blogs.technet.microsoft.com/trejo/2016/04/09/azure-ad-join-vs-azure-ad-device-registration/, there are details regarding these matters.

So why am I writing these? As an IT professionals, we can read those technical articles, understand like MDM, MAM, ConfigMgr/SCCM, AAD, GPO, but customers don’t. When customer wants a device management solution, they often ask “What kind of devices management you can offer?” or “What kind of devices management do you have?”. Then we start to telling them “use Intune MDM, or use ConfigMgr, or use both”…and customers have no idea what they want and what we can offer. And then, we start talk about CYOD, BYOD..

Updated: (Dec.6, 2017. We can also have Hybrid joined,  and using Co-management new feature of ConfigMgr/Intune  to manage devices, please read the set up details here. http://www.scconfigmgr.com/2017/11/23/how-to-setup-co-management-part-1/ )

Ok, let’s start all over again, here are some options for customers (please correct me if I understand those wrongly. )

  1. Do you allow employee personal devices access company data? Example: emails, sharepoint documents?


    1) Yes, allowed user access company data without any controls –>Do nothing. (Not recommended)

    2) Yes, allowed user access company data, and company also has rights to controls the device –> CYOD (Choose your own device):

    Use Azure AD join, make sure users understand that company can wipe their personal device remotely when it is necessary.

    Use Windows information protection (WIP) (with enrollment) and Azure information protection (AIP) to control Data Separation and Leak Protection and Sharing protection.

    Use conditional access.

    3) Yes, allowed access company data with restrictions and conditions, but company are not allow to control personal device–>  BYOD (Bring your own device):

    Use Azure AD device registration.
    Use Windows information protection (WIP) (without enrollment)
    and Azure information protection (AIP)

    Here is excellent article about WIP, written by Niall Brady

    Use conditional access

    4) No, block everything–>Tell your employee that it is not allowed. There are many ways how to do that, but no details in this time. 🙂

  2. Do you allow external users access to your company data from their owned devices?

    Since devices are not owned your company , there are not other choice but use BYOD.

  3. For company owned devices that are domain joined. Do you want have more control how user access company information?

    1) Yes. Use Co-management.
     Detail setup : 
     Use Windows information protection (WIP) (with enrollment) and Azure information protection (AIP) to control Data Separation and Leak Protection and Sharing protection.
     Use conditional access

    2) No –> Domain joined.


Simple understanding of CYOD, BYOD, Domain joined

CYOD: Device can be personal owned or company owned, it is under control by company.  IT department can use ConfigMgr deploy applications to devices. (This requires install ConfigMgr Cloud Distribution point and Cloud management gateway)

BYOD: Device is personal owned, device itself is not under control by company, but there are restrictions how to access company internal information.

Domain joined: Device is company owned (unless company let user join personal devices to domain). IT department can use ConfigMgr and GPO, and amount others tools control devices.

Domain joined + Azure AD registration: Same as domain joined. Additional you can control single sign on and WIP (without enrollment)


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.