Windows 10: Does disabling a domain-joined device in Azure AD prevent local sign-in using PIN?

This query relates to a standard Windows 10/Office 365 Business Premium subscription, on a domain-joined device - with no other local accounts created (aside from local Admin, not shared with employees).


The O365 support team confirmed that resetting a password/signing out now does prevent a user from logging into a domain-joined device using their Office email and password.


However they could not confirm if this also blocked the user from logging into the device using the Office email and PIN (i.e. whether the PIN was locally cached somehow). Nor if disabling the device in Azure AD prevents any log in to the local device.


Does anyone have any insights they could share?

:)

 

Join Windows 10 PC to a Domain  

That would explain it.

Active Directory is the way, the tool local domains use for user control and management. There are three different methods a user / device can join AD: joining local domain and signing in with domain credentials, joining through Azure AD and signing in with Azure AD credentials, and the "lowest level" so called workplace join, connect a local or Microsoft sign-in account to an Azure AD (workplace) account.

Joining a local domain and Azure AD basically is the same. Of course there are administrative differences from IT departement's point of view, but for the most the only difference end user sees is the sign-in credentials.

Once you have joined a local domain, you cannot join Azure AD, and vice versa. It's one or the other.

Joining Azure AD instead of joining a domain is in my opinion the future, Microsoft's clear goal being to get corporate users to move from local domains and on-premises domain controllers to Azure AD. I posted an opinion piece about that just a few days ago on my site: Secure Windows on a Secure Device Win10.Guru

Azure AD gives you two levels to join: Workplace join simply adds your Azure AD account to Windows 10 for single-sign-on to all your workplace services, but you will continue signing in to Windows with your current local or Microsoft account:




This will be shown as a connected account:




As you will continue signing in with your local or Microsoft account, you are still pretty much in control. You can use workplace services, company store and such but IT admin cannot set up any restrictions on your device. A workplace joined user / device can still join a local domain.

If you select Join Azure AD instead, your sign-in account will be changed to Azure AD account. This is shown as Azure AD joined:




Once joined to Azure AD, joining a local domain is no longer possible.

I'm not sure if the above explains this clear enough. The point is, a local domain and Azure AD effectively chooses the way you are joined to your workplace. Only one of these methods to join can be used.

 

Image W10 workstations for Azure AD join?


Hi All,

I want to image Windows 10; but more importantly I need to join Azure AD 'Out of the Box'!

I don't have a 'master' Azure AD account. I am not even sure that such a thing exits, e.g.: the Administrator account on a standard Active Directory Domain.

Where should I be looking for configuration, where it comes to Azure AD automatic joining?

My thoughts are PowerShell DST! But that is just a rumour.

Any suggestions would be amazing.

Regards,

Davo

 

Joining a Windows 10 Pro machine to Azure AD without linking/registering an employees email address to that computer

I have been researching for a few weeks now trying to figure out how to join Azure AD for new purchased machines when setting up the machine.

I have two different scenarios that would be joining azure AD.

1. Shipping a machine that has not been setup yet directly to an employee's location. I have to walk through step by step on how to configure settings, join the azure domain, and how to download a program or two. Is their a Microsoft process that I can put
information into that knows that computer needs to join our azure domain? I do not wish to sign in with my credentials to join the azure domain each time we order a new computer.

2. If my company has a windows 10 Home edition machine that we would want to add to our Azure AD, We purchase a windows 10 pro license and activate it under the settings. our next step is going into the settings to join an azure AD domain through a Microsoft
account, however I do not wish to register my account on every computer in our environment. Is their a way to have this computer join azure AD with some sort of a token or activation process? The second issue to this scenario is after joining the azure AD
with my credentials the local admin account is still active and I need to then go through the process of logging in and removing this account.

What would be the best process of joining my environments machines to our Azure AD network without having to register my account with each computer?