daknetworks.com

You are here: Blog Office 365 - Join Computer to Domain | Azure Active Directory

Office 365 - Join Computer to Domain | Azure Active Directory

Thursday, 14 February 2019 18:42

Do you have an Office365 account for your company domain (ie daknetworks.com) and email? Did you know that you can join your laptop or desktop to the Office365 domain?

Here are the links are recommended for various aspects of 365.

Portal for Office365 individual accounts:
https://portal.office.com

Portal for Office365 tenant management and the rest of your domain:
https://admin.microsoft.com

Portal for Azure:
https://portal.azure.com

Portal of Azure Active Directory (AAD):
https://aad.portal.azure.com

Portal for EndPoint Manager (InTune):
https://endpoint.microsoft.com
(for another view: AAD > DEVICES)

Add MFA-methods for individual accounts (as individual account):
https://mysignins.microsoft.com/security-info

Add MFA settings for individual accounts (as admin account):
AAD > USERS > PER-USER-MFA (at the top)

Or:
https://admin.microsoft.com > SETTINGS > ORG-SETTINGS
-click MULTIFACTOR-AUTHENTICATION

For fine-grain control of Exchange:
-click MODERN-AUTHENTICATION

Add MFA for entire account:
AAD > PROPERTIES > MANAGE-SECURITY-DEFAULTS

AZURE ACTIVE DIRECTORY

Once here, you are welcomed with so many services it is hard to keep them straight. What we are interested in is Azure-Active-Directory. Once you click on Azure-Active-Directory, you will see more options. Let's cover the basics.

USERS

Clicking on USERS will show you the users in your company. These naturally mirror the email accounts as you can't have an email account without having an Azure-Active-Directory account. But that might not be obvious if this is new to you.

GROUPS

Click on GROUPS is similar.

DEVICES

DEVICES will show all the DEVICES that is REGISTERED or JOINED. What's the difference?

REGISTERED is allowing the company to control the device. This is what happens with your iPhone (because who in their right mind would use Android). When you add your Office365 company email address to the phone, the company can control your iPhone. You might not know that. But it is nonetheless true. They can take the email account off the phone without your permission or they can wipe your entire iPhone without your permission.

The same is true for Windows 10 laptops/desktops. If you add your Office365 company email address to Outlook, the company can control your computer is some ways. Just like your iPhone, your computer is still accessible by you with the password that you setup when you brought the computer home from the store or received in the mail/ups/fedex/amazon package. But your company can control some of the items on your computer.

JOINED is what we think of in a traditional computer setup for a small company with an on-site server. When a computer is JOINED, any user in the company can login to that computer without having to setup the password locally. All the usernames/passwords are kept on a centrally located "invitation list."

JOIN COMPUTER TO AZURE ACTIVE DIRECTORY

 So how do you do that?

  • -click START > SETTINGS > ACCOUNTS
  • -click ACCESS-WORK-OR-SCHOOL (on the left-hand side).
  • -click CONNECT.
  • -click JOIN-THIS-DEVICE-TO-AZURE-ACTIVE-DIRECTORY.
  • -type in your email-address.
  • -click NEXT.
  • -type in your email-password.
  • -click SIGN-IN > JOIN > DONE.

MAGIC TO GET AROUND YOUR ORGANIZATION REQUIRES HELLO

There's a part here where if we continue, it will want to change your password to a PIN. Let's get around this.

  • -click START > RUN.
  • -type: gpedit.msc
  • -click Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business (on the left-hand side).
  • -click Use Windows Hello for Business (in the middle).
  • -click DISABLED.
  • -click OK
  • -restart your computer to make sure it survives reboot.

LOGIN WITH AZURE ACTIVE DIRECTORY

At the login screen,

  • -click OTHER-USER (at the bottom-left).
  • -type in your email-address.
  • -type in your email-password.

Once you do a whole new world begins. Now you can use your email-address and email-password to access the computer. You might notice that it automatically has your name from your email address. This is some the power of JOINING to an Azure-Active-Directory.

Note that when you do this, the process creates a new user on the computer so your DESKTOP, DOCUMENTS, PHOTOS, VIDEOS will all be reset to a fresh set. Any items you might have had are still in the other username and password. This can be manually transferred from the other account if needed.

NOTES

I could go on and on about the benefits of this:

  1. this computer now shows in Azure-Active-Directory > DEVICES section.
  2. if you open EDGE, go to https://portal.office.com you are automatically logged in and can download and install the software.
  3. if you open OUTLOOK, your account is automatically found and setup

In addition, I could go on and on about the number of misleading videos and long-winded documents I had to travel to get this far. Here are some of them:

https://docs.microsoft.com/en-us/azure/active-directory/devices/overview

https://www.youtube.com/watch?v=AZrtCtj4rTs

https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-manage-in-organization

 

 

Contact Dak Networks

We are not taking on new clients at this time.