Skip to content

Azure AD Scenarios

Jump to bottom
Brad Stevens edited this page Mar 16, 2020 · 7 revisions

Azure AD Join

Windows 10 systems can be ‘Azure AD Joined’ to an ‘Azure AD’ instance and shows up under ‘Devices’. Based on the ‘Azure AD’ settings, Users and Admins can associate a system to an ‘Azure AD’ identity allowing login to the system with ‘Azure AD’ credentials. This creates a cached local account that is associated to this account and named ‘AzureAD\Username’.

This type of account is not supported by JumpCloud takeover when binding users to a system and would create a new ‘local profile’ in this example if JumpCloud username was ‘BradStevens’ it would create ‘10PRO1809-1\BradStevens’ and not sync/link with the ‘AzureAD\BradStevens’ profile.

The ADMU Migration script can convert this account to a ‘local profile’.

This can be achieved using the $AzureADProfile=$true parameter.

To run the ADMU from PowerShell, first load functions.ps1 then run the 'Start-Migration' command in the session like the example below:

ps-azureadprofile

Example migration of tcruise azure ad user:

Start-Migration -DomainUserName 'tcruise' -JumpCloudUserName 'tom.cruise' -TempPassword 'Temp123!' -JumpCloudConnectKey '4e7699c4c1c1e3126fb627240723cb3g292ebc75' -AcceptEULA $true -InstallJCAgent $true -AzureADProfile $true

azure_ad_joined

azure_ad_profiles

Visit Microsoft's site for additional documentation on Azure AD joined devices.

Azure AD Registration

A system can also be ‘registered’ to ‘Azure AD’. This use case is primarily for BYOD devices in which complete control of the system is not required.

A system may be Azure AD registered in Windows 10 under Settings, Accounts, Access work or school, Connect. This registration is independent of a user profile and simply associated to the underlying system profile. As long as a profile is managed by JumpCloud it can co-exist with Azure AD Registered devices, whereas the ‘Azure AD Join’ scenario requires account conversion.

azure_ad_registered

azure_ad_bind

https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-register

Azure AD Hybrid Join

A system that is both bound to a domain and Azure AD joined is considered to be Hybrid Azure AD Joined. Hybrid Azure AD Joined systems can be be managed within ‘Azure AD’ however it is more limited than the other windows 10 join options (Can't sign into the system with Azure AD account). A user profile in this state would not be supported by JumpCloud takeover. It would require the ADMU to unbind and convert the domain based profile on the system to achieve JumpCloud takeover.

https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join-hybrid

Overview

Details

ADMU Deployment Options
Troubleshooting
Support
Clone this wiki locally