Background

In Azure Active Directory we have a setting that allow us to select 3 different options for Azure AD Join.

  • All users may join devices to Azure AD (Default setting in tenants)
  • Selected users may join devices to Azure AD
  • None users may join devices to Azure AD

We find the setting under https://portal.azure.com/#blade/Microsoft_AAD_Devices/DevicesMenuBlade/DeviceSettings/menuId/

With the default setting users are allowed to join personal computers to company Azure AD. If we look at Microsoft documentation they see Azure AD joined devices as a device the company owns. As Microsoft says the main goals for using Azure AD Join is to simplify.

  • Windows deployments of work-owned devices
  • Access to organizational apps and resources from any Windows device
  • Cloud-based management of work-owned devices
  • Users to sign in to their devices with their Azure AD or synced Active Directory work or school accounts

You find more information of all this on Microsoft page What is an Azure AD joined device? | Microsoft Docs

You can easily see the device state of your machine by running dsregcmd /status in a command prompt

We can join this machine under “Access work or School account”

Now we can see that the machine is joined and managed by Azure AD.

We can also see that we have a machine joined under Devices and also managed by Intune since I configured Azure AD managed machines should be handled by Intune.

What will happen to existing Azure AD Join devices if we turn this off?

We go to We find the setting under https://portal.azure.com/#blade/Microsoft_AAD_Devices/DevicesMenuBlade/DeviceSettings/menuId/

and here we switch to: None users may join devices to Azure AD

Now after a reboot I trigger a reboot on the machine from device management in Azure Portal. This still works and I get a message in the machine that administrator

What happens when I try to Azure AD Join a new machine after we turned this off?

The user is no longer able to join this machine to Azure AD. The error message is not the most user friendly. But if we look on the server message we get an indication on what is wrong.

You can read more about issues and errors here Troubleshooting hybrid Azure Active Directory joined devices | Microsoft Docs

What will happen to the existing Azure AD Joined machines if we clean them out of Azure AD?

In Azure Portal we select delete on the machine

We receive a message that all users can access this machine as part of Azure AD will lose access. With this information we know that it’s important that we have access to a local administrator account on the computer that is not part of the Azure AD the computer is joined to.

I know this account for this machine and I am comfortable to move on deleting it. If you are not sure you can contact the user and ask them about this computer or if that’s not possible you can start with “Disable” of the account and see if it generates a service ticket!

Noe the machine is removed from Devices in Azure Active Directory. But if I sign-in to the machine it seems to believe that it’s still Azure AD Joined. If we look at the state all seems fine. But if we look at DeviceAuthStatus we get an indication that something is wrong with the Azure AD Join.

If we see at the earlier images we can see that this device is managed by Intune. We need to remove the device from endpoint.microsoft.com. After we removed it from Intune and a reboot of the machine we can now see that the Device State looks good again.

Summary

Devices and device state can be tricky in Azure AD. Hope this can help you in your decision on how to handle Azure AD Join setting in your Azure AD.