Practice Lab: Manage Azure AD device registration
Summary
In this lab, you will perform Azure AD device registration using a Windows device.
Exercise 1: Configuring Azure AD device registration
Scenario
Several users have asked to use their personal iOS, Android, and Windows devices to access Contoso cloud resources. Since Contoso does not own the devices, you do not want to have the users perform an Azure AD join for full device management. Instead, you need to ensure that users are able to register their devices with Azure AD, which still allows you to apply company policy to apps as needed, and still permit users to access Contoso resources. You will test out Azure AD device registration using a Windows 11 device.
Task 1: Configure Azure AD device registration
-
On SEA-SVR1, if necessary, sign in as Contoso\Administrator with the password of Pa55w.rd and close Server Manager.
-
On the taskbar select Microsoft Edge, in the address bar type https://entra.microsoft.com, and then press Enter.
-
Sign in as user
[email protected]
, and use the tenant Admin password. If the Stay signed in? prompt appears, select No.The Microsoft Entra admin center opens.
-
In the Microsoft Entra admin center, in the navigation pane, expand Identity.
-
Select Devices > All devices.
-
On the Devices | All devices page, select Device settings.
-
On the Devices|Device settings page, in the details pane, verify that Users may register their devices with Azure AD is set to All and is greyed out.
This option is greyed out and set to All by default when Microsoft Intune is enable in the tenant. This ensures that all users are able to register Windows 10 or newer personal, iOS, Android, and macOS devices with Azure AD.
Task 2: Perform Azure AD registration
-
Switch to SEA-WS1 and sign in as Admin with the password of Pa55w.rd.
-
On the taskbar, select Start and then select Settings.
-
In the Settings window, select Accounts.
-
On the Accounts page, select Access work or school.
-
In the Access work or school page, select Connect.
-
In the Microsoft account window, in the Email address box, enter
[email protected]
and then select Next. -
On the Enter password page, enter the tenant password provided by your instructor and then select Sign in.
-
On the You're all set! page, select Done.
-
On the Access work or school page, verify that Joni's Work or school account is displayed.
-
Close the Settings page.
Task 3: Validate Azure AD registration
-
On SEA-WS1, right-click Start, and then select Windows Terminal (Admin). At the User Account Control, select Yes.
-
In the PowerShell console, type the following and press Enter:
dsregcmd /status
-
In the output under User State, verify that WorkplaceJoined : YES is displayed. This indicates that the user has performed a device registration in Azure AD.
-
Close PowerShell and then sign out of SEA-WS1.
-
Switch to SEA-SVR1.
-
In Microsoft Edge, in the Microsoft Entra admin center, expand Identity.
-
Select Devices, then select All devices. In the Devices pane, notice that SEA-WS1 is listed.
-
Verify that the Join Type is listed as Azure AD registered and that the owner is Joni Sherman.
Notice that the device is Azure AD registered, NOT Azure AD joined. Azure AD registered devices are typically devices that cannot be Azure AD joined, or devices that are personally owned by the user. Registering a device will provide access to Cloud based resources.
-
Close Microsoft Edge.
Task 4: Sign in to Windows and disconnect from the organization
-
Switch to SEA-WS1 and attempt to sign in as
[email protected]
.Notice that unlike Azure AD Joined devices, an Azure AD registered device does not allow a user to sign in to the device with an Azure AD credential.
-
On SEA-WS1, sign in as Admin with the password of Pa55w.rd.
-
Select Start and then select Settings.
-
In the Settings window, select Accounts.
-
On the Accounts page, select Access work or school.
-
In the Access work or school page, select the JoniS Work or School account.
-
Next to Disconnect this account, select Disconnect and then select Yes.
Notice that you do not have to restart to disconnect a registered device from Azure AD.
-
Sign out of SEA-WS1.
Results: After completing this exercise, you will have configured Azure AD device registration.
END OF LAB