All about Azure

Migrating MSA to AAD “fun” (rant)

I am starting to go through the Microsoft push to move from Microsoft Accounts (MSA, a.k.a. live.com accounts) to Azure Active Directory (AAD), their cloud-based enterprise solution to user and group management.

With a heavy investment in Azure, Visual Studio Team Services (VSTS), Visual Studio Subscriptions (formerly MSDN subscriptions), etc., this has been challenging.  We have run into issues with moving Azure subscriptions to AAD (previously managed via MSA).  We have run into PowerShell for Azure scripting issues.  We have run into automation issues between VSTS and Azure. VSTS has strange requirements with the primary email address on MSA must be the VS subscription email address (change the primary email address on your MSA and you won’t see your VS subscription, unless it is the free one).

Add to the fact that my MSA used to have a custom domain.  They offered it, promoted it, and then are taking it away although “grandfathering” those that had it.  But this has been problematic in that I couldn’t renew it and their support kept trying to push me over to the business side (Office 365) when it is part of Outlook Premium.  I finally gave up and moved my custom domain to Office 365 to make it more straight forward.  But I shouldn’t have had to do that, now having two separate accounts where before I had one.

I know we will get through this.  In the long run, it will probably be for the best.  In addition to my navigating from MSA to AAD, I also access multiple AADs, so that fun should be interesting when the time comes.

Microsoft should have continued to embrace custom domains with Outlook Premium (via MSA).  Microsoft should have done a much better job of supporting both MSA and AAD integration, giving us migration tools to map MSA accounts to AAD (with the MSA accounts approval of course) so resource access wasn’t lost or confusing (instead of having to work with Microsoft directly, where they have made mistakes because of the complex array of services over the decades via MSA).

I did look at an alternative to O365 and Outlook Premium once I knew I was in trouble with their policy changes that were well supported.  Unfortunately, there wasn’t much that could provide the Exchange Active Sync (EAS) capabilities along with Webmail and Outlook support (with all the features of Calendar, Inbox, Folders, Contacts, etc.).

Joining Azure Active Directory (1703+)

The process of joining an Azure Active Directory (AAD), starting with Windows 10 build 1703, has changed.

Why Azure AD Domain Join?

There are a number of benefits of joining AAD so you are able to use your Azure AD / Office 365 login:

  1. Centralized login credentials, especially nice with multiple devices
  2. Eliminate Office 365 and Azure-based login prompts when accessing word-based resources (e.g. Single Sign-On or SSO).
  3. Enterprise-based roaming of user settings across joined devices without the need for a Microsoft Account (e.g. account.microsoft.com).
  4. Access to Windows Store for Business using the AAD account.
  5. Doesn’t require a Windows Domain Controller (Windows Active Directory, or WAD) for smaller businesses.

If you are an enterprise (or even a smaller business with local authentication services on Windows AD, you can connect AAD to WAD and automatically link devices via Group Policy to AAD.

This requires allowing devices to join the Azure Active Directory. This is done via the Azure AD Portal. Navigate to Azure Active Directory and Devices, and finally Device settings.

Notice that the setting Users may sync settings and app data across devices is missing. This is because Intune and AAD Premium are not being used.

Without this setting being enabled, on Windows 10, the following will be displayed (Sync is not available for your account. Contact your system administrator to resolve this.) to end users with respect to Syncing your settings (which is available when a Microsoft Account is used).

Azure AD Domain Join

Windows 10 devices can join AAD for centralized authentication and limited management (unless you have an Intune Subscription).

Click on Start and then Settings. Click on Accounts.

Click on Access work or school. Click on Connect.

Click on Join this device to Azure Active Directory link:

Ignore the fact that the title states Microsoft account, which could be confused with a Microsoft Account. This is the right place for using AAD logins.

Enter in your AAD login (email address) and click Next button:

Enter in the password for the account and click Sign in button (noting that your screen will look slightly different, depending on the branding done on the AAD side of things):

Confirm you are joining the right organization and click Join button:

If all goes well, you will receive a confirmation message and can click Done.

You are now connected to the domain AAD (so the account is technically AzureAD\youremail@domain.com using the previous examples).

It is recommended you restart your computer and login with the new login by clicking Other user on the login screen and entering the email address of your AAD login.