Windows 11 Azure AD Join Manual Process Windows 10

Let’s check the process of Windows 11 Azure AD Join scenario step by step guide. This is applicable for Windows 10 devices as well. Many automated Azure AD join options are using Windows Autopilot, etc.

I’ve explained the manual process of Windows 11 Intune enrollment for the scenario. In the post, you will learn how to join Windows 10 or Windows 11 to Azure AD manually. Yes, you can perform Windows 10 Azure AD enter manually.

Free Intune Training 63 Episodes Of Free Intune Training Endpoint Manager For Device Management Admins

Also, we will come to know How to enroll Windows 11 devices to Microsoft Intune. We can still use the old control panel system properties method to join a Windows 10 machine to the domain.

Patch My PC

However, the wizard is changed slightly compared to Windows 7. Domain join is the old classical way of joining your Windows 10 or Windows 11 machine into your Work domain.

So what is the newest trend of Domain join 🙂 It’s AAD join, Azure Active Directory join (AAD is a SaaS solution by Microsoft for identity management).

When your organization has an Azure AD subscription and MDM solution like Intune, you can join your modern Windows 10 devices to AAD.

Video – Azure AD Join with Intune Enrollment for Windows Devices

Azure AD Join Process and Intune Auto Enrollment for Windows 11 | Licensing Details | Manual Provisioning process explained in this video! The example given is using the settings app of Windows 11.

Adaptiva
  • Azure AD Join Vs Hybrid AAD Join
  • Licensing Details
  • Provisioning
  • Intune Auto-Enrollment
Azure AD Join Process and Intune Auto Enrollment for Windows 11

NOTE! – Some of the screenshots are taken from Windows 10. But the steps to follow are the same for Windows 11 and Windows 10. I will try to update the screenshot as soon as possible.

Prerequisite Checks – Before Windows 11 Azure AD Join

The following is the recommendation you should consider before trying Windows 11 Azure AD Join and enrolling in Intune. Windows 11 or 10 Azure AD join scenario is used mostly for CYOD scenarios.

  • License -> Windows 11 Pro or Enterprise versions are supported for Azure AD Join.
  • Intune, Azure AD subscription, setup, and configuration should be completed.
  • EMS or M365, or any other relevant license should be assigned to the corporate ID that you are going to use for Windows 10 or 11 Intune enrollment
  • The user might need administrator access to enroll the Windows 10 or 11 devices into Intune.
  • Register the CNAME if you are using a custom domain (not required if you are using .ONMICROSOFT.com ID, as I showed in this post and video)

Differences between Azure AD Join Vs. Azure AD Registered Vs. Hybrid Azure AD

Let’s check the differences between Azure AD Join Vs. Azure AD Registered Vs. Hybrid Azure AD Windows 11 or Windows 10 devices.

Azure AD joined – The Windows devices Joined only to Azure AD requiring an organizational account to sign in to the Windows 11 or Windows 10 device. This is supported for All Windows 11 and Windows 10 devices except Home editions.

Azure AD Registered – Devices registered to Azure AD without requiring an organizational account to sign in to the device. The users can log in with their personal Microsoft ID or local to Windows 11 or Windows 10 devices.

Hybrid Azure AD Joined – The Windows Joined to on-premises AD, and Azure AD requires an organizational account to sign in to the Windows 11 or Windows 10 device. Hybrid Azure AD joined devices require network line of sight to your on-premises domain controllers periodically. Login to Hybrid Azure AD and join widgets with organizational ID.

Windows 11 Azure AD Join Step by Step process

Let’s understand Windows 11 Azure AD Join Step by Step process. In this section, you will see how to Join Windows 11 device to Azure AD. In this video guide, you will see how to perform Windows 10 Azure AD join and Intune enrollment.

The following steps will help you to complete the Azure AD join. The next steps are the manual process to add Windows 11 Azure AD join.

NOTE! – I recommend following the Windows 10 OOBE or Windows Autopilot process for more sophisticated Windows 11 or Windows 10 AAD Join process for your organization.

When you start the process of joining Azure AD with Windows 11 or 10, there are two ways to achieve this. First, you can go to Settings –> Accounts –> Work Access and click on Join or Leave Azure AD link.

  • Login to Windows 11 with an Administrator account.
  • Go to Start and click the Start button -> Settings.
  • Select Accounts > Access work or school.
  • Click on Connect button to start the Windows 11 Azure AD join process.
Windows 11 Azure AD Join Manual Process Windows 10 1
Windows 11 Azure AD Join Manual Process Windows 10 1

You need to click on Join this Device to Azure Active Directory link from Alternate Actions to set up a work or school account window. You need to log in to Windows 11 or Windows 10 PC with Microsoft account to complete this step manually.

Join this device to Azure Active Directory
Join this device to Azure Active Directory

Follow the following steps to complete the end-to-end process of the Windows 11 Azure AD Join scenario.

You need to provide a Work or School ID used for Office 365 or any other Microsoft cloud or business solutions on this page. I entered my cloud ID (Azure AD user ID) and password and clicked on the Sign-in button.

  • Enter Corporate Email ID and press the Next button.
Windows 11 Azure AD Join Manual Process Windows 10 3
Windows 11 Azure AD Join Manual Process Windows 10 3
  • Enter the password and click on Sign-In.
  • Click on Next to start the Azure AD registration process.

NOTE! – In Some scenarios, the user will get redirected to the third-party IDP (identity provider – PING, etc.) or ADFS if the password hash is not synced with Azure AD. This depends on the authentication configuration of users organization.

Windows 11 Azure AD Join Manual Process Windows 10 4
Windows 11 Azure AD Join Manual Process Windows 10 4

When your organization has enabled multi-factor authentication (MFA) on Azure AD, you will receive a verification call on your mobile number, and you need to answer that call and press # to complete the authentication process.

If MFA is not enabled, the Azure AD join wizard will ask you to check and confirm your organization’s name and details. Once you are sure about the organization Azure AD domain, you want to join.

  • Click on the Join button from the popup Windows. Make sure this is your organization.
Windows 11 Azure AD Join Manual Process Windows 10 5
Windows 11 Azure AD Join Manual Process Windows 10 5

The user must wait some time to complete the Windows 11 Azure AD join process.

Windows 11 Azure AD Join Manual Process Windows 10 6
Windows 11 Azure AD Join Manual Process Windows 10 6

The Windows 10 or 11 machines will connect to Azure AD and complete the authentication and AAD join process. This may take some time, depending on your internet speed. 

Click on the Done button to Finish Windows 11 Azure AD Join process.

To complete the Azure AD join process, you must follow the Restart instructions to restart the Windows 11 PC.

NOTE! – Once the Windows 11 or Windows 10 PC is restarted, you/the user will be able to log in to the PC with corporate credentials.

Windows 11 Azure AD Join Manual Process Windows 10 7
Windows 11 Azure AD Join Manual Process Windows 10 7

All finished now. 🙂 Windows 11 machine has joined Azure AD.

Click on a finish to complete the process. You can have auto-enrollment enabled for Microsoft Intune when machines join Azure AD.

Windows 10 or Windows 11 Azure AD Join Manual Process Verification

To confirm Azure AD join,  you can go to Settings –> Accounts –> Access Work or School and confirm whether your organization name is showing up there or not.

You can click on that button and check the Azure AD sync details to see whether policies are getting synced or not.

Windows 11 Azure AD Join Manual Process Windows 10 8
Windows 11 Azure AD Join Manual Process Windows 10 8

How to Enroll Windows 11 Devices Automatically into Intune?

You can manually enroll Windows 11 devices into Intune using the method I explained in my previous blog post – Windows 11 Intune Enrollment Process Using Company Portal Application Settings App.

I have explained the Windows 11 automatic Intune enrollment process in this video tutorial. So the Automatic Intune enrollment process should be done from the Azure portal.

NOTE! – You might need Global Admin/Appropriate access to set this Intune auto-enrollment up from the Azure portal.

  • Log in to the Azure portal, and select Azure Active Directory.
  • Select Mobility (MDM and MAM) > Microsoft Intune.
  • Select any of the 3 three (Windows 10 or 11 Auto Enrollment) options from the configurations blade
    • None – Default – If this option is selected, then Windows 10 or 11 Intune Auto-Enrollment is DISABLED
    • Some – If this option is selected, then Windows 10 or 11 Intune Auto-Enrollment is allowed only for a group of Azure AD users.
    • All – If this option is selected, then Windows 10 or 11 Intune Auto-Enrollment is allowed for All Azure AD users in your tenant
  • Click on the Save button to complete the process.
Enroll Windows 11 Devices Automatically into Intune
Enroll Windows 11 Devices Automatically into Intune

NOTE! – You can also use Group Policy (Auto MDM Enrollment with AAD Token) to enroll Windows 10 1709 or later Windows 10 and 11 Devices to Microsoft Intune. 

Video – Windows 10 Intune Manual Enrollment Process

I have explained the manual Intune enrollment process in my previous blog. I have some of the same in the below video.

Windows 11 Azure AD join – User View and Admin View

Results – Windows 11 Azure AD Join and Intune Enrollment

You can check the status of your Windows 11 Azure AD join and Intune Manual enrollment from two places.

Windows 11 Azure AD Join – User View

The first place to look at the results is the Windows 11 Settings page.

Settings > Accounts > Access work or school. Check whether you can see the Azure AD Joined Windows 10 or 11 Device, and It’s also Intune Enrolled. Following are the two connections I could see.

  • Connected to Default Directory’s Azure AD (Windows 11 Azure AD Joined)
Windows 11 Azure AD Join - User View
Windows 11 Azure AD Join – User View

Windows 11 Azure AD Join – Admin View

The second place to look at Windows 10 or 11 Azure AD Join results is from the Azure AD portal – Users or Devices pane or Intune blade.

Check whether you (admin) can see whether the device is Azure AD Joined.

Windows 11 Azure AD Join - Admin View
Windows 11 Azure AD Join – Admin View

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

11 thoughts on “Windows 11 Azure AD Join Manual Process Windows 10”

  1. Hello Anoop,
    Thanks for the detail information that really helps.
    I have a question. Is there a way to manage all windows 10 devices that are falling from our on-premises domain through Intune. We have some users in our environment and there laptop are falling from the domain since they don’t connect to VPN on a regular basis.

    Thanks
    Asher.

    Reply
  2. After i joined to azure active directory from my local id.

    i need my old profile data should automatically available in my new azure id desktop.

    i need help on this.

    Reply
  3. Can i deploy a Azure VM running Windows 11 Ent Multi Session and Azure AD-Join it, so to allow my Azure AD users to RDP to it ????

    Reply
    • You are correct if the custom domain is already confirmed, then you can use [email protected] instead of onmicrosoft IDs. But the process is the same as explained in the article for both scenarios.

      If you have an ADFS server or 3rd party IDP then the authentication process flow might change,

      Reply
  4. Hello Mr Nair.

    Thank you for your posts, you make our lives easier.

    We have 300 Laptops which was AAD joined by using Microsoft package designer. Now the requirement of one of the NAC solution is to join it to the Domain (DC). Problem is the users are spread and it’s difficult to bring them on same page. We are thinking of running powershell script through MDM to join the PCs to the Domain.
    What do you think.??

    Reply
  5. Hi Anoop,

    I have few questions,
    1. Is that normal user can add their devices to AAD with above steps without having admin rights?
    2. Are we able to use group policies when we add “devices” like to Azure AD?
    3. AAD can replace the On-Premise AD in terms of “Group Policy” and device control ?

    Reply
  6. I am having a few issues with Azure AD joined devices with Intune enrollment.
    I noticed that quite a few devices are currently not logged in to Company Portal and that any configuration profile , Compliance Policy or Applications that is targeting the user are not deployed.

    After almost 50 days on a ticket with Microsoft and they insisting that I should just ask the users to open Company Portal to sign in, the only solution that they were able to provide was to ask the users to sign in as AZUREAD\[company email] as this is the only way that the device knows it should sign in to Azure and not to the Local Work or School account.

    This is really frustration and at this point I am trying to find a way to create a policy to force this behavior, did you ever needed to add any of this configuration to the device profile? I am struggling to find a solution

    Reply
  7. Hi Anoop,

    My organisation is using on prem AD and planning to move to Azure AD in a year and implement EDR. They dont want to do a device reset while joing it to Azure Ad.

    Is there any way, these devices can be enrolled in intune(with Azure AD joined) without resetting it.

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.