Site icon Windows Active Directory

How to manage device identities with Azure AD

When a device is registered with Azure AD, it gets a unique identifier known as a Device Identity. Administrators use this identity to gain insights into the device’s configuration, capabilities, and security posture, enabling access to necessary resources, applications, and data. Azure AD provides a centralized hub for identity control, allowing organizations to customize security measures based on a device’s identification, location, and risk level. Integration with Microsoft Endpoint Manager enables administrators to manage devices, deploy applications, and enforce compliance policies from a central location.

Types of device identities in Azure AD

 

Azure AD registered

Azure AD joined

Hybrid Azure AD joined

Definition

Registered to Azure AD without requiring an organizational account to sign in to the device

Joined only to Azure AD requiring an organizational account to sign in to the device

Joined to on-premises AD and Azure AD, requiring an organizational account to sign in to the device

Primary audience

  • Bring your own device (BYOD)

  • mobile devices

Suitable for both cloud-only and hybrid organizations

Suitable for hybrid organizations with existing on-premises AD infrastructure

Device Ownership

User or Organization

Organization

Organization

Key capabilities

  • Single-sign-on (SSO) to cloud resources

  • Conditional Access when enrolled in Intune

  • Conditional Access via App protection policy

  • Enables Phone Sign in with Microsoft Authentication

  • SSO to both cloud and on-premises resources

  • Conditional Access through Mobile device management  (MDM) enrolment and MDM compliance evaluation

  • Self-service Password Reset and Windows Hello PIN reset on lock screen

  • Enterprise state roaming

  • SSO to both cloud and on-premises resources

  • Conditional Access through Mobile device management  (MDM) enrolment and MDM compliance evaluation

  • Self-service Password Reset and Windows Hello PIN reset on lock screen

  • Enterprise state roaming

When are these devices used?

  • To access corporate resources from personally owned mobile devices or home PCs

  • Transitioning to a cloud-based infrastructure

  • Provides joining capabilities to workers in remote branch offices with limited on-premises infrastructure

  • Access Microsoft 365 or other SaaS apps integrated with Azure AD

  • To continue to use Group Policy to manage device configuration

  • To use existing imaging solutions to deploy and configure devices

  • To support down-level Windows 7 and 8.1 devices in addition to Windows 10

How to manage device identities with Azure AD:

Pre-requisites:

You must be the device’s owner or have one of the following roles: cloud device administrator, global administrator, helpdesk administrator, Intune service administrator, security administrator, or security reader. 

1. To disable a device:

A user gets their access removed and will not be able to utilize any resources mandated by Azure AD device management. It revokes the Primary Refresh Token and any other refresh token present on the device.

  1.  Login to the Azure Ad portal with global administrator permissions.

  2. Identity → Devices → Overview → All devices  

1.1 For one or more devices

1.2 For a specific device

2. To enable a device:

Follow the steps 1 and 2 listed above in section 1.

2.1 For one or more devices

2.2 For a specific device

3. To delete a device:

Note: This is not usually recommended as it is irreversible.

Follow the steps 1 and 2 listed above in section 1.

3.1 For one or more devices

3.2 For a specific device

  1. Click on the device → Properties

  2. The tool bar will appear at the top of the page; click Delete and yes on the confirmation pop up window.

4. To obtain or copy a Device ID:

The Device ID acts as a unique identifier for each device. For several administrative operations, including device administration, auditing, and troubleshooting, it is required to view or copy a device ID.

  1. All devices → Select Device → Properties

  2. You can copy the Device ID and Object ID.

5. Manage BitLocker keys:

Encrypting and decrypting data on a Windows device’s hard drive or other storage media is done with a cryptographic key called a BitLocker key. It safeguards the security and integrity of data on Windows devices, particularly in situations where data confidentiality is critical, such as securing sensitive information on laptops or portable drives.

 6. Download devices:

The download devices option allows global readers, cloud device administrators, Intune administrators, and global administrators to export a CSV file listing devices. Use filters like ‘Enabled state’ or ‘Join type’ to decide which devices to list.

Note: The export task will not run for more than one hour.

The exported list will include device identity attributes like: 

displayName,accountEnabled,operatingSystem,operatingSystemVersion,joinType (trustType),registeredOwners,userNames,mdmDisplayName,
isCompliant,registrationTime,approximateLastSignInDateTime,deviceId,isManaged,objectId,profileType,systemLabels,model

7. Configure device settings:

To manage device identities using Azure AD, the devices need to be registered or joined to Azure AD. You must either be a Global Administrator or a Cloud Device Administrator to control the process of registering or joining devices through the device settings:

 8. Audit logs:

Audit logs provide insight into device activity, aiding monitoring, auditing, and troubleshooting.The default list view shows date, time, targets, initiator, and activity.

All these features make Azure AD a reliable solution for organizations aiming to streamline security and manage device identities efficiently.

Exit mobile version