Learn how to join Windows 11 to Azure AD & Intune

Поделиться
HTML-код
  • Опубликовано: 23 ноя 2024

Комментарии • 114

  • @Trimalchio12
    @Trimalchio12 28 дней назад

    This is so helpful as someone who is looking to migrate from AD to AAD.

  • @PrinceJohn84
    @PrinceJohn84 2 года назад +9

    Hi Andy. Great videos by the way. just for clarity but you absolutely can manage machines that are Azure AD Hybrid joined using Intune. We do exactly this. You need to enable a group policy that enrolls the device in MDM first. The setting is under Computer\Windows Components\MDM 'Enable Automatic MDM Enrolment using default Azure AD credentials'. Our client machines are currently joined to our on premise AD but are co managed in Intune, the idea being that we slowly but surely shift management of the endpoints away from group policy and into Endpoint Manager over time. Eventually, we'll be in a position to have all our endpoints completely cloud native ☁️

    • @AndyMaloneMVP
      @AndyMaloneMVP  2 года назад +3

      You are indeed partly correct. SCCM in hybrid or co management allows you to SEE both segments for convenience. But I am correct when I say only either AD or AAD can authenticate. Current branch mode allows you to manage both in either product, to a point for convenience. But ultimately it’s not a long term solution. That said you make some great points and I really appreciate the comment👍😊

    • @PrinceJohn84
      @PrinceJohn84 2 года назад +1

      @@AndyMaloneMVP Absolutely. With the rise of work from home and client mobility, endpoints have to be cloud native going forward and that is our goal. Cheers!

    • @user-zo6iw2oz9c
      @user-zo6iw2oz9c 2 года назад

      Agreed!

  • @fordhamfamilyfarms
    @fordhamfamilyfarms 11 месяцев назад +2

    Hey Andy love your work. Doing some intune work with hybrid devices and would love an updated version of this ;)

  • @richarddinel4762
    @richarddinel4762 Год назад

    You help me and my partner so much in getting our O365 to Intune. Part of our cmmc certification and securing our tenant.

    • @AndyMaloneMVP
      @AndyMaloneMVP  Год назад

      My pleasure and you’re very welcome. The very best of luck 😊

  • @OldFellaDave
    @OldFellaDave Год назад +1

    Hi Andy, What is the downside of joining my 90 odd PC's and Laptops to Hybrid Azure AD? I want to get rid of Sophos Intercept X (cost) and use Microsoft Defender/Endpoint instead (that we are already licensed for), and for that we need to go down the route of enrolling in Intune. The process seems easy enough to do (via our already running AAD Connect on a DC) but you seem (from what you said at the start) to not like Hybrid joining? I am in no real hurry or any real desire to give up my On-Prem environment with all my GPO's, fileshares, SQL based accounting package etc ;)

    • @AndyMaloneMVP
      @AndyMaloneMVP  Год назад

      Hi Dave. This is a question I asked a lot :-) Personally I think there is very little in having client PCs hybrid joined. Yes you can apply conditional access policies. But in terms of management it's expensive with the fact that it's managed on-prem with SCCM & Intune Add ins. If you Azure AD join your PCs directlty you can migrate group policy settings across and it's already configured for SSO AND you can manage it directly from the cloud. You don't need sophos as Windows Defender rocks. That's my opinion :-)

  • @TanuchiSacin
    @TanuchiSacin 2 месяца назад

    Today, I was testing a PC to join AAD (we usually do the Autopilot route), but I couldn't see the "Join this device to Microsoft Entra ID", just missing. I found a forum where somebody mentioned switching the workgroup from WORKGROUP to MSHOME, so I tried that. After the reboot, I was able to see the option. Do you know if this is documented somewhere?

    • @AndyMaloneMVP
      @AndyMaloneMVP  2 месяца назад

      Unfortunately, this is common knowledge. Once a machine has been deployed with active directory you need to re-image that machine

  • @tonytango48
    @tonytango48 2 года назад +2

    Another cracking video Andy!

  • @jessesack3065
    @jessesack3065 3 месяца назад

    Great informative video sir! Many thanks.

  • @MattTruVu
    @MattTruVu 2 месяца назад

    After azure joining what credentials did you sign back with? AD credentials or Entra ID credentials?

  • @barclayjamesharvest9354
    @barclayjamesharvest9354 2 года назад

    Hope to be a guru one day thanks to you.For now just a basic computer technician.Just discover you chanels few days ago and subscribe right away.Thanks

    • @AndyMaloneMVP
      @AndyMaloneMVP  2 года назад

      Live the dream my friend. Great to have you on board 🙂

  • @jojolization
    @jojolization 3 месяца назад

    quetions:
    1. can I use intune to depoly app to the Hybrid Azure AD Joined Devices?
    2. other than using GP, can I set configuation profiles in tune and deploy to the Hybrid Azure AD Joined Devices?

    • @AndyMaloneMVP
      @AndyMaloneMVP  3 месяца назад +1

      No, and no, I’m afraid. In tune works with enter ID join devices and users need an appropriate license. As I’ve mentioned in the video hybrid devices are managed by active directory not in tune. You can see limited attributes in the device pain of the user account and can use conditional access However to get the full benefit you require in tune. Device profiles are managed by enterprise state roaming and in tune.

  • @emmanuelchrispher8958
    @emmanuelchrispher8958 2 года назад +1

    I'm a subscriber of your channel, and i will follow you all of the time. i do appreciate all of you videos . continue

    • @AndyMaloneMVP
      @AndyMaloneMVP  2 года назад

      Thank you most kindly and I really do appreciate your support 👍😊

    • @emmanuelchrispher8958
      @emmanuelchrispher8958 2 года назад

      @@AndyMaloneMVP i am sure we will talk one day soon, personally

    • @AndyMaloneMVP
      @AndyMaloneMVP  2 года назад

      @@emmanuelchrispher8958 why not, we’re all human 😊 Have a great day 👍

  • @tomirvine3449
    @tomirvine3449 8 месяцев назад

    Hi Andy, Great Video. My tenant has a whole bunch of devices I have connected to the basic Azure AD, I want to move them to intune. What's the process to move them from Azure to Intune?

    • @AndyMaloneMVP
      @AndyMaloneMVP  8 месяцев назад

      Assign a licence. Follow the documentation. techcommunity.microsoft.com/t5/microsoft-intune/onboarding-devices-from-aad-to-intune-and-beyond/m-p/3697731 and here call4cloud.nl/2020/05/intune-auto-mdm-enrollment-for-devices-already-azure-ad-joined/

  • @devemanuelangelo
    @devemanuelangelo Год назад

    Hi Everyone,
    I just upgraded our users from Windows 11 Home to Windows 11 Pro. Some were able to join Join this device to Azure Active Directory but two of our users don't have the Join this device to Azure Active Directory option.

    • @AndyMaloneMVP
      @AndyMaloneMVP  Год назад

      I suspect because the home edition is not comparable

  • @uYahbonaEmbo
    @uYahbonaEmbo 2 года назад

    This video was meant for me no doubt about it. Our organization recently implemented a Teams VoIP telephony with yealink desk phones. The issue we are experiencing is some devices are not completing the sign up process on Company portal for intune and these are all Android OS devices. Is possible Andy to do a video on enrollment of Teams Android based desktop phones which will include MDM & Conditional access of these devices

    • @AndyMaloneMVP
      @AndyMaloneMVP  2 года назад +1

      Hey thanks for the nice comment and great to have you on board. I recorded a video on Teams voice a while back. You should check it out. I’ll be honest here, when I get specific requests like this it’s tricky as some feature even I don’t use. Android being one of them. So I’m really sorry, like I’ve said I’m an instructor and a support help desk and although I try my best, sometimes I can’t fufil every request, I hope you understand. Good resources for you though would be docs.Microsift.com and the Microsoft tech community. Also make sure all of your users are licensed. Good luck 👍😊

    • @uYahbonaEmbo
      @uYahbonaEmbo 2 года назад

      @@AndyMaloneMVP thanks maine for your honest response will post my issue in community

  • @rkh11
    @rkh11 Год назад

    Many Thanks for your work and affords. I've red that Hybrid Azure AD joined devices require network line of sight to your on-premises domain controllers periodically. If I've added device to on-prem AD and logged in under domain user, then that device has been given to the user who won't have that periodic connectivity. Does it mean the after some time that user won't be able to login under domain account?

    • @AndyMaloneMVP
      @AndyMaloneMVP  Год назад

      Not at all. However, after a period of time has gone by the user may have to re-authenticate using multifactor authentication.

  • @techman2192
    @techman2192 Год назад

    I enjoy your videos, I have one question: do you have to use answer files with deploying software apps in Intune?

  • @Elscorpio606
    @Elscorpio606 2 года назад

    great learning videos, thanks for uploading them Andy

  • @kb8570
    @kb8570 Год назад

    Thank you for information Andy, it is very clear and easy to understand.
    Could you please explain the difference between accessing corporate data on a personal laptop if using the Microsoft Company Portal app compared to the option within 'Settings' > Account > 'Add a Work or School account'?

    • @AndyMaloneMVP
      @AndyMaloneMVP  Год назад

      The company portal allows you to access content in a bubble. For example, when you open documents, it opens it within a portal. You cannot cut copy or paste content or take screenshots from within the portal to other applications. Thus ensuring security. This is perfect in a BYOD environment. In a full corporate deployment, the entire device is managed by corporate, i.e. all the settings and configuration. I hope this helps and thanks again, Andy

    • @kb8570
      @kb8570 Год назад

      @@AndyMaloneMVP Thank you Andy for your reply and help. Does Azure or Endpoint/Intune give you the option to enforce a policy whereby any staff using a personal laptop and wishing to access Work Emails/Organisation OneDrive/Corporate MS Teams account must use the Microsoft Company Portal app? Therefore preventing staff from simply accessing business Office365 applications from the browser on their personal laptop.

    • @AndyMaloneMVP
      @AndyMaloneMVP  Год назад

      @@kb8570 it does yes. For noncorporate devices, however, conditional access guest policies are really good.

    • @kb8570
      @kb8570 Год назад

      @@AndyMaloneMVP Thank you Andy. I will see what I can do with conditinal access. I am a newbie and just started working with Endpoint and Azure. Thank you for your videos!

  • @isabel82tisha
    @isabel82tisha 8 месяцев назад

    Hi Andy, why is the Azure user JoniS an administrator after the device has been registered with the name?
    It's the same for me, but that can't quite fit if JoniS is not an administrator at all.
    I couldn't register the device with a local account, so not admin. The selection for this was not displayed.

    • @AndyMaloneMVP
      @AndyMaloneMVP  8 месяцев назад

      This would not happen today. Use the LAPS service in Intune. Read the documentation at learn.microsoft.com

  • @leighgc1855
    @leighgc1855 Год назад

    Hi Andy, is it possible to add a device to Intune after they are already registered with Azure AD? I have enabled MDM for some users, added a security group, and included the usesr in the security group. However, when the user logs on, their Azure AD device doesn't enrol in Intune, all users have Office 365 premium licenses

  • @srikanths651
    @srikanths651 2 года назад

    The Video is indeed for me...Thank you so much for your efforts. one question from my end. How will we join AD installed in Server 2012 users and computers to AAD. are the existing Group Policies will Apply post sync to AAD? OR do we need to add different roles to Computers /Devices in AAD For Managing them.?

    • @AndyMaloneMVP
      @AndyMaloneMVP  2 года назад

      Thanks for the question. Here is a video on Azure AD connect. This is the tool that sets up a hybrid connection. In terms of group policy you can either use the group policy analytics tool in Intune that can help migrate policies. Or just start fresh.ruclips.net/video/muHVbeONGqA/видео.html with way check out docs.Microsoft.com they have some great documentation 😊👍 Good luck

  • @ts-cj2ym
    @ts-cj2ym 2 года назад

    Hi Andy great video. I have 40 laptops not in On-premise AD and 40 in On-premise AD. We like to use intune for mangement. How do we go from here? AD server is Windows 2022. All run win 10 and 11 (with Office 365 business premium)
    Im thinking of letting all laptops join Azure AD and connect the AD server to Azure. That will give a mix of computer only in Azure AD and some in On-premiere AD, connected to Azure. Will that work? Or do we need to let all devices join on-premise AD before connevting the server to Azure

    • @AndyMaloneMVP
      @AndyMaloneMVP  2 года назад

      Thanks very much for your question. The answer is absolutely you can set these up to talk to Azure AD. I think you’ll find this playlist really helpful for youruclips.net/p/PLEgclf_4HA-iIHhRTlzgZOIIxJ--Pxz9C

  • @Naveed67857
    @Naveed67857 Год назад +1

    He'llo Andy
    Give me answer please
    I have very basic requirement that normal users cannot install any software without admin privileges.
    Please guide me.
    As some policy I used but it restrict only from installing app from windows app store only but over all so when they need I can use admin privileges to install any software or application in windows intune devices

    • @AndyMaloneMVP
      @AndyMaloneMVP  Год назад

      It appears that there is obviously a restriction in place here. You need to have some form of admin privileges to continue. If you want to learn the subject, I recommend creating a Microsoft 36 E5 subscription with EM&S as this will allow you to practice. You can also check out the full learning content at lauren.microsoft.com. I wish you the very best of luck 👍

    • @Naveed67857
      @Naveed67857 Год назад

      @@AndyMaloneMVP
      Mentioned URL is not working

    • @AndyMaloneMVP
      @AndyMaloneMVP  Год назад +1

      @@Naveed67857 the dangers of speaking text messages, it should have been learn.microsoft.com

    • @Naveed67857
      @Naveed67857 Год назад

      @@AndyMaloneMVP
      Thank you for your kind reply.
      Please recommend some channel that will help me to deploy Microsoft intune focus will be on windows 10 and 11.
      I have gone through intune videos but I need further training

    • @AndyMaloneMVP
      @AndyMaloneMVP  Год назад

      @@Naveed67857 not sure I’m afraid. I do included but it’s not dedicated. If I find something I’ll let you know.

  • @ThePatsev
    @ThePatsev Год назад

    Hi Andy, does each user who logs into a device managed by Intune, needs to have an Intune license or just the admin has to have it? Thank you

    • @AndyMaloneMVP
      @AndyMaloneMVP  Год назад

      It’s per user licensing, I’m afraid.

  • @NickLaoutaris
    @NickLaoutaris Год назад +1

    Hi Andy , this is great man ! keep it up. Thank you for this amazing video.

  • @kevinjackson5191
    @kevinjackson5191 2 года назад

    Hi Andy, as always a fantastic insight.
    However, i have a question that no one putting up videos of Azure AD joining seems to cover.
    When you login to a device as the admin and join a standard user to AAD, it seems to then turn them into an administrator (presumably of the device they are logged in to). This can't be a good practice, surely. So how do you join them as standard users?

    • @AndyMaloneMVP
      @AndyMaloneMVP  2 года назад +3

      This is a common one. In the Intune autopilot OOBE (out of the box) settings there is an option to install as regular user or local admin. I’ll bet you’ve chosen the latter by mistake. joymalya.com/manage-local-admin-accounts-with-intune/ & here docs.microsoft.com/en-us/answers/questions/129120/enabling-local-administrator-account-on-windows-10.html

  • @mikemiguelhije2780
    @mikemiguelhije2780 2 года назад

    Thank you for that info, what is the difference between account protection Intune vs Device administrators?

    • @AndyMaloneMVP
      @AndyMaloneMVP  2 года назад +1

      Admin roles allow you to delegate specific admin roles to users. See the doc here docs.microsoft.com/en-us/mem/intune/fundamentals/role-based-access-control whereas account protection policies are a new preview feature (not reviewed by me yet) details here docs.microsoft.com/en-us/mem/intune/protect/endpoint-security-account-protection-policy#:~:text=Use%20Intune%20endpoint%20security%20policies,Microsoft%20Endpoint%20Manager%20admin%20center. Device admin role here docs.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin

    • @mikemiguelhije2780
      @mikemiguelhije2780 2 года назад

      @@AndyMaloneMVP thank you for the reference

    • @AndyMaloneMVP
      @AndyMaloneMVP  2 года назад

      @@mikemiguelhije2780 you’re very welcome 👍😊

  • @livestronger1981
    @livestronger1981 4 месяца назад

    Why can I not use Group accounts to assign to "Device Administrator, Assignments"? It only shows users.

  • @Bbill2k2
    @Bbill2k2 Год назад

    So outside conditional access theirs no real point to have Azure AD devices being hybrid enrolled?

  • @sastreaj
    @sastreaj 2 года назад

    Thank you for the video Andy, is there any way to unjoint on-premises devices and join them to Azure AD without having users create a new profile?

    • @AndyMaloneMVP
      @AndyMaloneMVP  2 года назад

      Unfortunately not. That said it’s the device that your authenticating, not necessarily the user

    • @sastreaj
      @sastreaj 2 года назад

      @@AndyMaloneMVP Thank you for the quick replyAndy. The devices are assigned to the user and my idea is to eventually turn off the on-premises AD.

    • @AndyMaloneMVP
      @AndyMaloneMVP  2 года назад

      @@sastreaj Your users can be active directory joined but the devices can be Azure AD joined. I would advise you also to take a quick look at docs.microsoft.com this is the definitive repository for all documentation for Microsoft 365 if there is an answer, this is where you’ll find it.

    • @sastreaj
      @sastreaj 2 года назад

      You’re totally correct Andy. I now get it, I didn’t see it like that. I’ll worry about joining the device and keep the user in AD.

    • @AndyMaloneMVP
      @AndyMaloneMVP  2 года назад

      @@sastreaj No worries and thanks for the question 😊👍

  • @bechirbendhief6086
    @bechirbendhief6086 2 года назад

    I'd like to thank you for this Great efforts it's very helpful

    • @AndyMaloneMVP
      @AndyMaloneMVP  2 года назад

      You’re very welcome and thanks for your kind comments. I’m delighted you’re enjoying the content. All the best, Andy 😊

  • @ThePatsev
    @ThePatsev 2 года назад

    Hi Andy, what about Azure registered devices? It's registered the same way as Azure joined. I can't really see the difference. Thank you for your informative videos!

    • @AndyMaloneMVP
      @AndyMaloneMVP  2 года назад +1

      Azure AD registered device work in the same way. Except, that when you deploy applications, they appear in a portal on the users phone. Do you remember that registered devices are BYOD or bring your own device and are owned and managed by us, not corporate.

    • @ThePatsev
      @ThePatsev 2 года назад

      @@AndyMaloneMVP Thank you, Andy!

  • @cpuuk
    @cpuuk 2 года назад

    When joining AzureAD, what happens to the computer local User accounts- are they still there?

    • @AndyMaloneMVP
      @AndyMaloneMVP  2 года назад +1

      Yea they are. You can disconnect if you wish. Also intune provides full policy control.

  • @syedmali7772
    @syedmali7772 5 месяцев назад

    how to join the device as standard user type using the Azure active directory method.

    • @AndyMaloneMVP
      @AndyMaloneMVP  5 месяцев назад

      School and workplace join in windows 11. You can join a device as long as you are authorised.

  • @fbifido2
    @fbifido2 2 года назад

    say you have a small office of around 25 works (to be 30 next year) and they work in 3-shift and only 10 laptops that are shared at each shift.
    - can we prevent user from joining device to Azure AD or Intune ?
    - can an admin join them to azure ad + Intune, and allowed the staff to sign-in to any of the device using their azure account and allows their settings to follow them ?
    - I don't want an ADDS Server, just Cloud only system { Microsoft 365 Apps }

    • @AndyMaloneMVP
      @AndyMaloneMVP  2 года назад +1

      You can set that only specific users can do an azure ad domain join. In my video chat did all. But you can select specific users. Also specific admins as well. In terms of using laptops which are shared you may want to take a look at this. I think you’ll find it useful docs.microsoft.com/en-us/mem/intune/configuration/shared-user-device-settings

  • @AchtungEnglander
    @AchtungEnglander 2 года назад

    6:00 The Azure Directory option has been removed. When I log into my work account that account is added to my personal Microsoft account. I cannot then log in or out the two accounts as I used on Win 10. I see one log in with 2 accounts. This is NUTS ! EDIT - I am using Win 11 Home, I presume I need to install Win 11 Pro to get Azure?

    • @AndyMaloneMVP
      @AndyMaloneMVP  2 года назад

      I think you answered your own question. Does not support home. Sorry.

  • @gutodalkimin
    @gutodalkimin 2 года назад

    Great Andy! Thanks

  • @fbifido2
    @fbifido2 2 года назад +2

    @8:40 😍😍✔✔

  • @TechITStudy
    @TechITStudy Год назад

    Awesome Video

  • @soodshubham7671
    @soodshubham7671 2 года назад +2

    Cool 😊

  • @micah7448
    @micah7448 2 месяца назад

    10:14 I wish you showed how this was actually done!

  • @robertojosesiulemus3205
    @robertojosesiulemus3205 Год назад +1

    The Best!!!

  • @markstuff
    @markstuff 2 месяца назад

    How can you do this without knowing Joni's or Aaron's passwords?

    • @AndyMaloneMVP
      @AndyMaloneMVP  2 месяца назад

      Because I’m deploying machine not logging on the users the user would still log on with the credentials

  • @JohnieDSM
    @JohnieDSM 2 года назад

    Hi - I have a question, maybe someone has an answer - I tried to connect my laptop to customers Azure network and got message on the screen that my laptop is registered with another Azure domain and welcomed me to connect to that Azure domain - any ideas what it is - some kind of protection? Thanks a lot!

    • @AndyMaloneMVP
      @AndyMaloneMVP  2 года назад

      I'll bet that the laptop you're using is connected to your Microsoft 365 account. You can tell if you go into a web browser to portal.office.com If it does not prompt you for a username etc. You're already connected. Another way is to go into accessories - Accounts - School and workplace join . If you're already connected you'll see the account details here. Another obvious Q, what edition of Windows are you using? Pro or Enterprise. As I said in the video Win 10/11 devices can only be connected to one domain at a time. Either On prem Windows Server AD or Azure AD (Microsoft 365). I hope this helps and good luck.

    • @JohnieDSM
      @JohnieDSM 2 года назад

      @@AndyMaloneMVP This laptop doesnt have MS 365 installed, it was returned from the rent and fresh Win10Pro installed - also doesnt have any connections to any domains so far. I quess Azure uses some hardware identification/authorisation since how the current Azure domain (to which I'm going to connect knows about the old one and doesnt allow me to connect)?

    • @AndyMaloneMVP
      @AndyMaloneMVP  2 года назад

      Sounds like the OS build has some kind of connection built in. I'd take it too support it to be checked. Also perhaps you don't have admin rights

    • @AndyMaloneMVP
      @AndyMaloneMVP  2 года назад

      @@JohnieDSM I’m sorry sounds like you need to go to a support specialist. Best of luck 😊

  • @kedargiri5397
    @kedargiri5397 8 месяцев назад

    How to Microsoft Entra join existing windows server vm ??

  • @ANAND-ip2wu
    @ANAND-ip2wu 2 года назад

    Hiiii sir, this is anandhakumar from India Chennai I learning windows server how to I get job in abroad any app is there in playstore

    • @AndyMaloneMVP
      @AndyMaloneMVP  2 года назад

      Not sure about apps, but there are plenty of sites than can help you. Earlier this year I recorded a session on how to get certified. I put lots of tips and advice into that. You can find it here. ruclips.net/video/qA5Hy36onbw/видео.html I wish you the very best of luck my friend 👍😊

  • @cqajagsaw
    @cqajagsaw 2 года назад

    how do you enable Intune Auth?

    • @AndyMaloneMVP
      @AndyMaloneMVP  2 года назад

      A user must have an Azure AD account and the device must be Azure AD joined then the user just signs in using standard single sign on. Check out docs.microsoft.com for more details.

  • @balarajuc5048
    @balarajuc5048 7 месяцев назад

    thanks lot

  • @mathieulessard404
    @mathieulessard404 Год назад

    It doesn't make sense having usernames like that