News

Preview of Azure Active Directory Join Capability Coming to Windows 365

• By Kurt Mackie
• February 09, 2022

Microsoft announced Wednesday that enterprise users of Windows 365 services will soon be able to Azure Active Directory joins for Cloud PCs.

The new feature will be arriving in the next week at the preview stage for users of the Windows 365 Enterprise edition. Along with the Azure Active Directory joins feature, additional languages will be previewed, and Microsoft announced that FIDO (Fast Identity Online) passwordless authentication is coming soon.

Windows 365 is Microsoft's desktop-as-a-service offering, which was commercially released last year. The service works with so-called "Cloud PCs," which are client operating system virtual machines housed in Microsoft's datacenters that get remotely accessed by devices of various types.

Windows 365 is available in two editions, Business and Enterprise, which are very different products. The Windows 365 improvements announced on Wednesday, though, were just described as being available for Enterprise edition subscribers.

Azure AD Join Preview
The support for Azure AD joins at the preview stage will be arriving to Enterprise edition Windows 365 tenancies in about a week's time, according to a Feb. 9 "Windows in the Cloud" online presentation (Episode 106), which possibly will become available on demand at this page.

When the Azure AD join preview is available, it'll show up as an option within the Microsoft Endpoint Manager Admin Center.

Previously, Microsoft just let Enterprise edition Windows 365 users join via hybrid Azure AD joins, explained Christian Montoya, a senior program manager on the Windows 365 team, during the online presentation.

With the Azure AD joins for Cloud PCs preview, organizations don't need to have an Azure subscription to provision Cloud PCs for end users. They can just select a region to join the Cloud PCs using a drop-down menu in the Microsoft Endpoint Manager Admin Center interface.

It's also possible for organizations with their own Azure virtual networks to use the Azure AD join feature, but "you'll first need to create a new Azure AD Join network connection," Montoya indicated in the announcement.

Organizations that already are using hybrid Azure AD joins and wanting to switch to Azure AD joins will need to "reprovision your Cloud PC to join Azure AD," Microsoft explained in the Q&A segment of its online presentation.

Language Provisioning by Policy Preview
Microsoft also will soon offer a preview of an expanded "first-run experience" when provisioning Cloud PCs based on the language and region to be used. It'll be coming soon for Windows 365 Enterprise edition users. IT pros will be able to set the language and region by policy, instead of setting it manually using custom images.

Here's how it was described:

Now in Public Preview, when you create a provisioning policy, you can configure a Language & Region pack to be installed on the Cloud PCs during provisioning. There are 38 languages available.

This approach also will permit changing the language for already provisioned Cloud PCs as well.

Microsoft additionally announced that it added two more Windows 365 supported regions this month, namely "US Central" and "Germany West Central," which are "available today."

FIDO Support Planned
Microsoft also explained during the online presentation that it is working to bring FIDO passwordless authentication protections to Windows 365 users at some future point in time:

We'll add this to our In Development as we have more defined timelines, but we're working with Azure AD and Azure Virtual Desktop teams to enable FIDO devices for the logon to your Cloud PC.

FIDO2 is an industry-supported standard for devices that permits the use of PINs, cards, key fobs and biometric readers to secondarily verify the identity of end users when accessing resources. It's a public-private key approach that's deemed to be phishing resistant, in contrast to simple password use, because the private key never leaves the device.

Montoya also suggested during the online presentation that it'll be somewhat easier for Azure AD joined Cloud PCs devices using Windows Hello for Business, Microsoft's biometric authentication service, to take advantage of FIDO protections.

"If you're on your Windows desktop client, you can use [Windows] Hello, and then actually, with Azure AD join, the Windows Hello for Business logon is a little bit easier, because you don't have to be on a corporate VPN or you don't have to be on the corporate network," Montoya said.