News

Microsoft Describes Azure AD Integration with Windows 10 Mobile

• By Kurt Mackie
• March 17, 2016

Microsoft this week explained how organizations can use Azure Active Directory (AD) with Windows 10 Mobile.

Under certain circumstances, it will be possible for Windows 10 Mobile devices to access both personal and business resources using the same device but with different user credentials. Microsoft outlined these details, as well as a few caveats, in an update to this TechNet article, which was in turn announced in a Microsoft Active Directory team blog post.

Upgrade Scenarios
Microsoft released Windows 10 Mobile to existing Windows Phone 8.1 users on Thursday, although the OS has been running on brand-new Lumia phones since last fall.

The possibility of upgrading from a Windows Phone 8.1 OS will depend upon the device hardware used. Microsoft's Windows 10 Mobile specifications page lists the following eligible devices: Lumia 1520, 930, 640, 640XL, 730, 735, 830, 532, 535, 540, 635 1GB, 636 1GB, 638 1GB, 430, 435, BLU Win HD w510u, BLU Win HD LTE x150q, MCJ Madosma Q501.

Microsoft's TechNet article cautions that those organizations planning to upgrade existing Windows Phone 8.1 OS-based devices to the new Windows 10 Mobile OS will have to revert to the so-called "out-of-box" experience (OOBE) for Windows 10 Mobile. That means starting from scratch.

In addition, existing user data and settings can't be maintained for these Windows Phone 8.1 upgrades. Here's the effect on end users, per the TechNet article:

When a user joins an organization's domain, the user is then required to log in as the domain user and start with a fresh user profile. A new user profile means there would not be any persisted settings, apps, or data from the previous personal profile.

Azure AD Join Preferred
The article noted that the overall best way to connect Windows 10 Mobile devices for organizations is to set up a so-called "Azure AD Join." It's not the only way, though. Organizations can also add a "work account" to a Windows 10 Mobile device. Going the work account route is one way to avoid the OOBE device reset issue when upgrading Windows Phone 8.1 devices.

Microsoft explained the difference between a work account and an Azure AD Join in this section of the TechNet article. It turns out that adding a work account has some limitations in terms of the end user experience. For instance, they can't access applications from the Windows Store via single sign-on, meaning that they can't use the same passwords to access the Store apps. Moreover, Azure AD settings won't roam via Microsoft's "enterprise state roaming" feature. This enterprise state roaming Azure AD feature facilitates the separation of corporate data from personal data on mobile devices and also adds security support via the Azure Rights Management service.

Microsoft prefers the Azure AD Join approach, which reverts devices to the OOBE state. It also prefers self-provisioning by end users. Here's the scenario that Microsoft has mapped out for Windows 10 Mobile end users connected via Azure AD Join, per the TechNet article:

Currently, Azure AD Join only supports self-provisioning, meaning the credentials of the user of the device must be used during the initial setup of the device. If your mobile operator prepares devices on your behalf, this will impact your ability to join the device to Azure AD. Many IT administrators may start with a desire to set up devices for their employees, but the Azure AD Join experience is optimized for end-users, including the option for automatic MDM enrollment.

In other words, it's the end users that go through the motions to establish their credentials and join their devices to a corporate domain.

Other Requirements
Microsoft also will require the use of a mobile device management (MDM) solution, at least in the case of organizations using Azure AD Joins. Moreover, organizations will need to buy an Azure AD Premium license to use Azure AD Join.

"Azure AD Premium or EMS [Enterprise Mobility Suite] licenses are required to set up your Azure AD-joined devices to automatically enroll in MDM," the TechNet article stated.

Windows 10 Mobile users will have to use Microsoft Passport PINs, which is a requirement. Alternatively, they can use Windows Hello, which is Microsoft's biometric security feature. Multifactor authentication is required, too.

"Creating a Microsoft Passport requires the user to perform an multi-factor authentication since the PIN is a strong authentication credential," the TechNet article explained.

The article had many more nuances to consider. It even shows the user setup experience from an OOBE screen. The gist seems to be that organizations may have to start from scratch on the provisioning front if they have existing Windows Phone 8.1 devices they are planning to upgrade to Windows 10 Mobile. On the plus side, it's the end users that will do the provisioning.

Such organizations upgrading Windows Phone 8.1 devices likely are in the minority, though. Fourth-quarter market analysis by Gartner Inc. showed that Windows smartphone use had bottomed out at around 1 percent.