Setting Up Azure Active Directory "For Beginners"

Jason Friedmann 1 Reputation point
2020-12-22T15:15:30.51+00:00

Hi Everyone,

I apologize if this question has been covered in the documentation -- I've been unable to locate anything "basic".

I am presently running a Restaurant/Resort environment with 15 PCs, using an on-premise Active Directory to manage login credentials and administrative rights to these PCs; running on I believe Windows Server 2008. I'd like to eliminate this server, and move this to the cloud, which I understand is Azure AD.

Half of my PCs would be "single user" -- where there is one person who needs access to all of "their" data; and the other half are "common" terminals that are shared by dozens of users to access a couple of local applications -- notably my restaurant point of sale; but do not store any data.

One problem I'm running into is with my "common users". Ideally, I'd like to just create 1 or two "common" users that have a very basic password (or no password at all when using one of these machines.

As well, when I log into the PC with my "common" user -- it asks every time to setup windows hello with some sort of multifactor authentication. I do not want this account secured.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,072 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. SAGOHIL-MSFT 456 Reputation points Microsoft Employee
    2020-12-23T14:06:30.333+00:00

    @Jason Friedmann Thank you for reaching out to us.

    Yes, the above planning is appropriate, we can surely move away from on premises domain controller to Azure active directory. However, I'd like to recommend you the below options.

    OPTION -1

    -> We can use Azure active directory and join the devices to Azure Active directory.
    Ref.: https://learn.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join
    IMPORTANT - Currently supported operating system -- All Windows 10 devices except Windows 10 Home

    -> Once the devices are Azure AD joined users can sign into the local systems using the domain credentials. However, we do not have all the functionalities as on premises domain environment. Example - GPO, roaming profiles.

    -> We can also have a shared "common" account which can be used by multiple users to login to the shared system with same credentials.

    -> However, the important point here is, If you are using applications that authenticate from AD using NTLM/Kerberos, that will not work with Azure AD as it doesn't support these protocols.

    Pricing

    OPTION - 2

    -> We can deploy Azure Active Directory Domain Services which had most of the features as on premises domain controller.

    Pricing

    In regards to disabling the Windows hello for business pin, we can achieve that by GPO's

    How to Disable Windows Hello PIN Setup in Windows 10

    1.Press the Windows key + R to open the Run dialog, type gpedit.msc and hit Enter to open Local Group Policy Editor. If you’re running Windows 10 Home, Local Group Policy Editor is not available, and you can use other ways to disable Windows 10 PIN login.

    50730-image.png

    2.Navigate to: Computing Configuration / Administrative Templates / Windows Components / Windows Hello for Business. On the right-side pane, double-click on the “Use Windows Hello for Business” policy.

    50866-image.png

    3.Select Disabled. Click Apply and then OK

    50893-image.png

    4.Reboot your computer to apply the changes.

    Please let us know if you have any further queries in regard to the above information. We will be glad to assist you further.

    -Sagar


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


  2. Jason Friedmann 1 Reputation point
    2020-12-24T03:46:59.213+00:00

    Hi Sagar,

    Thank you for the detailed explanation....

    Shared User
    For the "shared" users -- they do not need any "authentication" from anything to do with AD -- they just need a way to access the computer without having administrative rights to it.

    To set this up -- how can I reduce the password complexity requirements?

    Windows Hello

    How do I disable this at an organization-level? or at least the constant requests for it at a user level? I don't want to be in a situation where everytime we replace a machine, we have to do things manually on a given PC.

    I notice there are a couple of points to pricing. We already pay for Office 365 apps, and my understanding is that a basic version of Azure AD is included with that?


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.