Microsoft Outlines Windows 10 Mobile Management Using Azure Active Directory

Organizations awaiting the commercial release of Microsoft's emerging Windows 10 Mobile operating system will face lots of caveats when using Azure Active Directory (AD) for identity and access management.

One of the enabling factors behind business and enterprise use of Windows 10 Mobile will be the leveraging of Azure AD. Under certain circumstances, it will be possible for Windows 10 Mobile devices to access both personal and business resources using the same device but with different user credentials.

Microsoft recently updated a TechNet article to provide an explanation about how organizations can use Azure AD with Windows 10 Mobile devices. The updated documentation was noted this week in a Microsoft Active Directory team blog post.

Upgrade Scenarios
Windows 10 Mobile, which is currently available on some Microsoft Lumia phones for Windows Insider program testers, could get released broadly this month, although possibly delayed per mobile carrier schedules. The notion that Windows 10 Mobile may be arriving this month is just the latest rumor among many past ones (for detailed tracking, see's product roadmap article.)

The possibility of upgrading from a Window Phone 8.1 OS will depend upon the device hardware used. Microsoft currently just shows upgrade possibilities for some of its Lumia models at this page.

Microsoft's TechNet article cautions that those organizations planning to upgrade existing Windows Phone 8.1 OS-based devices to the new Windows 10 Mobile OS will have to revert to the so-called "out-of-box" experience (OOBE) for Windows 10 Mobile. That means starting from scratch.

In addition, existing user data and settings can't be maintained for these Windows Phone 8.1 upgrades. Here's the effect on end users, per the TechNet article:

When a user joins an organization's domain, the user is then required to log in as the domain user and start with a fresh user profile. A new user profile means there would not be any persisted settings, apps, or data from the previous personal profile.

Azure AD Join Preferred
The article noted that the overall best way to connect Windows 10 Mobile devices for organizations is to set up a so-called "Azure AD Join." It's not the only way, though. Organizations can also add a "work account" to a Windows 10 Mobile device. Going the work account route is one way to avoid the OOBE device reset issue when upgrading Windows Phone 8.1 devices.

Microsoft explained the difference between a work account and an Azure AD Join in this section of the TechNet article. It turns out that adding a work account has some limitations in terms of the end user experience. For instance, they can't access applications from the Windows Store via single sign-on, meaning that they can't use the same passwords to access the Store apps. Moreover, Azure AD settings won't roam via Microsoft's "enterprise state roaming" feature. This enterprise state roaming Azure AD feature facilitates the separation of corporate data from personal data on mobile devices and also adds security support via the Azure Rights Management service.

Microsoft prefers the Azure AD Join approach, which reverts devices to the OOBE state. It also prefers self-provisioning by end users. Here's the scenario that Microsoft has mapped out for Windows 10 Mobile end users connected via Azure AD Join, per the TechNet article:

Currently, Azure AD Join only supports self-provisioning, meaning the credentials of the user of the device must be used during the initial setup of the device. If your mobile operator prepares devices on your behalf, this will impact your ability to join the device to Azure AD. Many IT administrators may start with a desire to set up devices for their employees, but the Azure AD Join experience is optimized for end-users, including the option for automatic MDM enrollment.

In other words, it's the end users that go through the motions to establish their credentials and join their devices to a corporate domain.

Other Requirements
Microsoft also will require the use of a mobile device management solution, at least in the case of organizations using Azure AD Joins. Moreover, organizations will need to buy an Azure AD Premium license to use Azure AD Join.

"Azure AD Premium or EMS [Enterprise Mobility Suite] licenses are required to set up your Azure AD-joined devices to automatically enroll in MDM," the TechNet article stated.

Windows 10 Mobile users will have to use Microsoft Passport PINs, which is a requirement. Alternatively, they can use Windows Hello, which is Microsoft's biometric security feature. Multifactor authentication is required, too.

"Creating a Microsoft Passport requires the user to perform an multi-factor authentication since the PIN is a strong authentication credential," the TechNet article explained.

The article had many more nuances to consider. It even shows the user setup experience from an OOBE screen. The gist seems to be that organizations may have to start from scratch on the provisioning front if they have existing Windows Phone 8.1 devices they are planning to upgrade to Windows 10 Mobile. On the plus side, it's the end users that will do the provisioning.

Such organizations upgrading Windows Phone 8.1 devices likely are in the minority, though. Fourth-quarter market analysis by Gartner Inc. showed that Windows smartphone use had bottomed out at around 1 percent.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


comments powered by Disqus

Subscribe on YouTube