Azure Active Directory and Windows 10: Microsoft’s Hybrid Vision

Azure Active Directory and Windows 10: Microsoft’s Hybrid Vision

As more and more companies make the transition from On-Premise to the Cloud, Microsoft believes that there will be a phase where companies run both data centers in parallel.  Microsoft believes that this Hybrid state will last for approximately 10 years.  Beyond these years most workloads will be in the cloud.

How can organisations manage users and devices from a single source of truth?  Microsoft has assisted with this Hybrid state allowing companies to administer cloud users, all with the assistance of Azure ADConnect. Today we are in a Cloud First era, if Cloud is not supported why not?

The days of imaging devices and adding them domains maybe coming to an end.  Companies will soon be able to manage Windows 10 (slated for first update) by simply joining them to Azure AD, with Azure AD Join.

This will be compatible with Microsoft Intune. Users will get a single sign on experience from their on premise applications, device and their cloud applications. This will be the start of large organisational process changes and is important as companies look to manage the plethora of mobile devices.  If your next device refresh is the same as your last one, it may be an outdated solution.

Let’s go for a test!  I installed Windows 10 build 10074 with Hyper-V on my laptop with 1.5 gig ram allocated (works, but definently needs resources), after installing I was presented with this screen


Here you can click Express or Custom, this just changes your Feedback and other experience related settings, then I got a loading screen


Then I selected “This Device Belongs to my Company”


I clicked continue make sure you read this screen first


Then I typed in my username and password


I got my password wrong first time, but this error gave me something interesting, my Azure AD branding that I configured at TechEd Australia last year came through.


Then I got this screen, after 10 minutes watching the circle I went got a coffee then played with my phone.


Then I got this log in screen


Logging in


Then this error.  Not sure if it was a VM, network or ram issue.


I selected Try Again and it worked immediately.  Please note the default PIN complexity requirements.  This pin may now automatically work across several different devices.


But what does this mean and what has happen to my machine?  It is not on a domain, but if you check the sysinfo it says my logon server is \\AzureAD.

Edit:  I tested SSO for Office 365 and Azure as suggested by Alex Simons.  I could only get Azure SSO to work.  With Office 365 each time I tried to enter the URL it would redirect back to Office 365 login page.

I am sure in the coming months we will see more features and capabilities added.  Keep a look out for more on this topic at this year TechEd’s, Ignite and Build events around the world.


The key benefits and capabilities of Azure Active Directory and Windows 10:

  • Consistent user experience.
  • Single Sign on
  • Automatic Enrollment
  • Support modern form factors – devices that don’t have domain join functions.

This feature has huge potential so it is good to start planning any organisational transformations before Windows 10 goes GA.

Look at the following comment from Deniz regarding this new feature”Works great, well done, already started planning to decommission all onprem servers including ADs and work with AzureAD only with a fileserver vm in Azure.”

To get started refer to the following article:

Post by Alex Simons and Ariel Gordon

And follow these twitter handles

@aaronw2003  @Alex_A_Simons @askariel

To start planning for your business transformation you can deploy and test these features all from within your Microsoft Azure subscription and a VM.  If you don’t have an Microsoft Azure subscription you can take a trial here.

Aaron Whittaker @AaronW2003

profile pic


Intune Discovery: Kicking the Tires

The Intune cloud-based management service is a solution that helps you to manage your computers and mobile devices and to secure your company’s information.

With the proliferation of BYOD and BYOID’s, I wanted to “kick the tires” so here we go for a discovery.  Cooking time: 1 day.

My Microsoft ID’s had already been synced from On premise AD via AADSync.  See my previous post on this topic here.

I subscribed for a 30 Intune trial here which is for 30 days for 30 test licenses.

Then to utalise the Intune console I had to update my Silverlight version on my Microsoft Surface 3.  I logged in and I was presented with this console.  The Dashboard provides shortcuts to the initial tasks which are required.  I selected Add users.


I select several users and applied the Intune license as shown below.


Then I created a Group with all my licensed users.


Next we need to create a policy that we wish to push out to the users BYOD (Group).



I selected Computer Management, Windows Firewall Settings, Create and Deploy a Custom Policy.


It prompted me to deploy the policy.


Then I applied the Policy to a group


Then I downloaded my Client Software and attempted to apply it to my MSDN Windows 10 running in Azure.



It appeared to install but unfortunately Intune is not compatible with Windows 10 yet.  I received an error in the console and the agent was not running on the OS.  See this compatibility list here.



After I successfully loaded the agent on a Windows 8.1 machine in Azure, I loaded my firewall to see my Policy changes had applied.


Then I decided to scan using the Intune Endpoint Protection.  All of the definitions are defined within my Intune portal.


Next I wanted to remotely push some software.  I downloaded and run the Intune Software Publisher plugin.


Then I ran the wizard.


I selected SpotifySetup.exe and also selected a Spotify Icon.



I left everything else as default.



Then I selected upload.


I then applied the Software All Users.


Here is a summary of all my deployed software.


Back on the Windows 8.1 machine I opened the Intune Center tool from the right hand corner near the clock.

23 - Copy

Then I selected Get Applications from the Company Portal.  Here I had to authenicate (only the first time).  It even allowed me to reset my expired password.  Here you can see my Azure Active Directory Premium portal customisations have loaded.


I selected YES to the primary user of this computer.


Here you can see that Spotify was advertised on the main portal page.


If I select All Apps, Spotify is also advertised inside here and ready to install.


I selected Spotify and Install.


It now displays as installing.


Next I wanted to apply a minimum in Microsoft patches to my non domain devices.  This would be useful for a company that wants to ensure that a minimum level of patches are running on all machines that access their corporate data.  I approved all patches to All Devices back in the Intune console under groups.


Then back on the Windows 8.1 machine I  immediately prompted to install the newly approved patches.

Then I decided that I wanted to manage BYO mobile devices as well.  So i went to admin within the console, I selected Set Mobile Device Management Authority.



Then I Added a Device Enrollment Manager.


This is where I stopped.  I did not have a spare mobile device that I wished to wipe.

The Administrators Console dashboard has great visibility into the fleet’s health.  You can see the 1 error, this is my failed Windows 10 installation.  Clicking on each alert takes you straight to the reported area.


So as you can see there are a lot of great management features within Intune.  It has certainly come a long way in the last few years.  There are many features and perhaps your company will find this tool suitable for only 1 or 2 specific tasks, rather than using every feature that is available.  This is a very feature rich tool which does everything except refill your coffee cup.

profile picAaron Whittaker @AaronW2003

Ignoring VM’s with Stop Start Automation tasks in Azure

Thanks for yesterdays positive comments/questions and retweets.  To follow up after yesterdays post on creating Automated tasks in Azure we will modify the scripts and see what has happened.

Firstly to answer a question, yes you can ignore certain servers if they need to remain on or off.  The only issue I see is if a server is created and to be ignored by this script you will need to update the script each time another server is added to your Azure subscription.

Can you just use group memberships? @Simonster

Let’s change my scripts so Win10Az remains on or off, and must be stopped/started manually (normally).  So go back to Automation, stop script, author, draft, edit, change this line from

Get-AzureVM | where{$_.status -like ‘Stopped*’ } | Start-AzureVM


Get-AzureVM | where{$_.status -like ‘Stopped*’ -and $_.Name -ne ‘Win10Az’} | Start-AzureVM

This is highlighted in the screen grab below.


I ran the stop script and confirmed that only my BenWin10 server powered off.

I then added a similar line of code for my starting script, which you can see below.  I also selected the Start button on this screen.


Then once the start script had finished (90 seconds) I went back to my Virtual Machines view and as below you could see that only BenWin10 was starting up.  Win10Az was ignored when either script ran.



One last point, below is a screen shot of my scripts dashboard, from here you can easily see when the servers were on or off.  This is a great view to ensure your script is working as excepted.



profile pic Aaron Whittaker @AaronW2003