This will be the first of a multi-part series on configuring and managing device Identity and Access Management (IAM) for Microsoft
In the year 2000, Windows 2000 Server was released, and with it came a new era of authentication. Microsoft introduced Active Directory to the world, which would later be known as Active Directory Domain Services (AD DS). It combined the directory functionality of the industry standard Lightweight Directory Access Protocol (LDAP) with the authentication of another industry standard – Kerberos – to its new offering… and within a few years the AD DS domain became the de facto standard in corporations and small businesses around the world. It was rare for me to log into a company computer (server or workstation) that was not AD DS joined.
In 2010 Microsoft introduced Azure Active Directory (which it would rebrand in 2023 to Microsoft Entra ID), and within a few years we would start seeing company computers that were no longer AD DS joined, but rather Entra joined (for the sake of simplicity I will use the current term, even when referring to pre-rebranding). It makes sense – with the world migrating into the cloud, it makes sense for companies to move their Identity and Access Management (IAM) into the cloud as well.
Now here’s the thing about cloud migration. It does not happen overnight. For new organizations starting from scratch (what we refer to as green field) there may be no reason to even consider AD DS. Small companies with few systems and few employees might be able to migrate over a weekend. For larger organizations it is neither quick nor easy… and because it will not happen overnight, there are a lot of companies out there working on a hybrid model – with both on-premises and cloud servers and services… and even IAM infrastructures. It is more likely than not that their employees will have two accounts – one on prem, and one in the cloud… and sometimes they won’t even realize it, because the two identities are federated.
Now here’s the thing… in order to be able to log into a computer with a corporate account – whether that account be AD DS or Entra ID – the computer that one is logging into must be joined to either the AD DS or the Entra ID. That is to say that not only will there be a user account in one or the other directory, but the computer will also have an account in the same.
The way we have joined a computer to an Active Directory Domain for the last twenty-five years is still available in Windows 11. In the Computer Name tab of System Properties window, we click on the button marked Change… where it says ‘To rename this computer or change its domain or workgroup, click Change.‘ You then enter the name of your domain (and can rename your computer if you so desire). You will be asked for credentials of an account with permission to join the domain; you will be asked to reboot, and when you do then you can log on with your domain account.
Of course, since this window has been around since the beginning of the millennium, there is no mention of the cloud. It still works… but only for the on-prem AD DS. There is a modern (Windows 10 or later) way to join, which gives you three options:
- Connect your cloud account
- Join the device to Microsoft Entra ID
- Join the device to a local Active Directory domain.
The first one – Connect your cloud account – does not really affect the computer itself, but only the applications you use on it. The other two are going to either join your computer to your on-premises domain (AD DS) or to your cloud environment (Entra ID).
To access this screen do the following:
- Right-click the Start button and click System.
- In the navigation pane of the Settings window click Accounts
- In the Accounts page scroll down and click Access work or School.
- In the Access work or school page click the Connect button next to Add a work or school account.
This is where a lot of people go wrong. Once upon a time, we delivered workstations to our end users completely pre-configured… we joined the domain for them. Because the Microsoft cloud is set up to allow us to have a hardware provider drop-ship a computer directly to a remote user, or even have them connect their own computer to our Entra ID, there is opportunity to make mistakes. I have lost count of how many people – students, customers, and friends & family – who have seen this screen, typed their cloud account address in here, and then could not figure out why they were not in the system. Notice at the bottom of the window there are those other two options? Well, when joining Entra ID you have to click that option… just as if you are joining an on-prem domain you would click that option. So for now, let’s join an Active Directory domain… then we’ll see what happens.
I see the box Join a domain popped up, and when I typed in the name of my local domain, it asked me for credentials. When I click OK, Windows checks to see that it can reach the domain, that the credentials that I provided are correct, and that my account has permissions to join a computer to the domain. These are the Authentication (AuthN) and Authorization (AuthZ) components of the IAM process. If all is approved, then a window will pop up asking what domain account I want to to give access to this computer… and if I want their local access to be Standard User or Administrator. In my example I game my account administrator access, but the best practice is to only give elevated permissions to a secondary account. That’s a matter for another article.
I’ve rebooted the computer, and logged into the computer with my domain account. It’s as easy as that.
Now what would I do if I now wanted to join my computer to Entra ID? Wouldn’t it be great to have the best of both worlds? It would… but watch what happens. I am going to try to join this computer to Entra ID… but the option is no longer there! 😦
I am still able to get into the Access Work or School window, and I can still click Connect, but the options to join Entra ID or a local domain are gone. AD makes sense, but where did Entra ID go? The simple answer is that you can join one or the other, but not both… manually. More on that later. I can disconnect the computer from the domain, at which point I can then join it to Entra ID. You will need to provide a local account that you will be able to log on with after disconnecting, and you will need to reboot.
Logged back in as a local user, I once again have the option to join either Entra ID or an Active Directory domain. I will skip to the last page on this one… if you were to now join the device to Entra ID, the option to then join it to either would be gone again.
But I want the pony!
I know… you want the best of both worlds. You want to be able to use both your mature on-prem AD DS as well as your new fancy Entra ID. We can do that… as Admins. this is not something that end users can configure on their own. In an upcoming article, I am going to show you how to configure your environment for Hybrid Entra ID Joined devices.
In this article I have shown you how to join your Windows 11 device to either a cloud Entra ID tenant, or to your local Active Directory domain…. as well as how to disconnect from either. In my next article, I am going to show you how to federate (connect) your local on-prem AD to your cloud Entra environment.
The World According to Mitch 
Leave a comment