When Azure Active Directory (AD) was first released, many companies asked, “Can this replace my on-premises Domain Controllers?” For Windows 7 and Windows 8/8.1, the answer is “no” because Azure AD cannot connect to the computers. However, with the recent release of Windows 10, the answer to this question gets a lot more interesting. Read on to see what I mean.
Windows 10 and Azure AD Join
Azure AD Join is a new feature in Windows 10 that allows a computer to associate directly with your Office 365 Azure AD tenant. Setup is simple: First, a user is prompted whether they want to connect to an organization account (Office 365) or whether they want to join a domain. If they choose to associate with an organization account, all it takes is the Office 365 user name and password and the computer will automatically connect and associate with Azure AD. Once the join is complete, single sign-on (SSO) is handled by the computer just as it would with a domain joined machine. Also, any online services or policies that are applied to the user can be easily managed centrally via Azure AD. These policies might include Intune or other device management services. This allows for automatic deployment of management tools as part of the joining process.
Image courtesy Microsoft
Can I Join a Domain and Azure AD?
Unfortunately, with the initial release of Windows 10, each user can only connect to one or the other. If a user is looking to join to a domain, they can later associate their Office 365 account with their domain account, but it won’t be a true Azure AD Join. Similarly, if a user performs an Azure AD Join, then they won’t be able to later use that same account with a domain.
So Which Should I Use?
Both are very useful and whichever option you choose often depends on the type of user. For a remote machine that will rarely, if ever, communicate with the on-premises domain, using Azure AD Join may be the way to go because it provides many of the same management and monitoring benefits without requiring local access.
Similarly, for smaller organizations or organizations with many remote offices that don’t have domain controllers, Azure AD Join is very beneficial. As an added bonus, since Azure AD Join can work off of synchronized users to your existing domain, you can still have the same accounts and passwords in both systems.
For the standard office environment with users local to the servers, or networking in place to allow for easy domain controller communication, using Active Directory is likely still your best option. You will continue to have the same domain experience everyone has come to expect, while at the same time the SSO options with Azure and Office 365 via Azure AD Connect and ADFS will continue to be available. As of now, Active Directory also still provides the larger feature set for the management and monitoring of systems via SCCM and group policies, and so is recommended for environments that require that higher level of control.
Flexibility to Manage Different User Sets
Whichever you choose, keep in mind that you can always mix and match. For instance, if you have a central office but also have some remote users, you can use a combination of both the traditional Active Directory and Azure AD Join to provide the best experience to each user set. With Azure AD Join, Active Directory and Windows 10 you now have a lot more management flexibility than ever before.