License requirements for Azure AD Join

A device can either be Azure AD Registered or Azure AD Join. When a device is Azure AD Join its ownership belongs to the organization, practically speaking, it means you can even erase its content remotely.

Windows Home is not able to perform Azure AD Join, but Windows Professional or Enterprise are, this doesn't mean you need to have Professional/Enterprise versions out of the gate on the device, there are licensing options which will upgrade the windows version.

The licensing you select actually depends on the Windows version on the device, if it comes with Windows Professional a simple Microsoft 365 F1 (1.8€) will work as it updates a Professional to an Enterprise, on the other hand if you have a device with Windows Home you'll need Microsoft 365 F3 (6€) license.

These values are based on our Microsoft 365 license optimizer

What are the advantages of having a device Azure AD Join ?

  • The most obvious is security. Because when a device is Azure AD Join is Organization owned you can force a lot of security checks and configurations on the devices. For instance, the device can only connect to the organization if it has all the required windows updates, or erase a stolen laptop.
  • Install required software on login. The organization administrator is able to configure a device so in its first setup (when configure windows for the first time) the user will only have access to the device when a pre-defined list of software has been installed (i.e: Office 365)
  • The user can have a password less experience. You can activate multifactor authentication and by having the device Azure AD Join the user won't need to input the password on any of the software, only to login into the device.
  • Encrypt the disk drives. Through Bitlocker it's possible to encrypt the drive content. Why does this meter ? Well, let's assume a laptop is stolen with sensitive data, you can block login access or erase the pc content as an admin, but if the device doesn't connect to the internet and whoever has it installs a different OS it's possible to go through the HD content. But not if it's encrypted

How can a user Join Azure AD ?

First make sure the user has all the requirements:

  • Have a Windows 10/11 pro or enterprise.
    You can upgrade a Home edition by assigning a license which includes Windows 10 Enterprise (Microsoft 365 F3 for instance).Make sure under the Licenses and App - Apps the user has checked Windows 10 Enterprise
  • Have a Microsoft 365 Intune feature assigned. Microsoft 365 F3 or F1 include the features.

Simply access the Accounts Settings on Windows and select Add Account and then check the option Azure AD Join

  • Open the Settings page and click Accounts
  • Select Access work or school
  • Select +Connect
  • Click Join this device to Azure Active Directory