Use Azure AD for co-management

In the cloud, identity is the new control plane. Azure Active Directory (Azure AD) allows you to link your users, devices, and applications across both cloud and on-premises environments. Registering your devices to Azure AD enables you to improve productivity for your users and security for your resources. Having devices in Azure AD is the foundation for both co-management and device-based conditional access.

For more information on device-based conditional access, see How To: Require managed devices for cloud app access with conditional access.

In the following video, senior program manager Sandeep Deo and product marketing manager Adam Harbour discuss and demo Azure AD for co-management:

Azure AD provides two options for company-owned devices to suit your organization's needs:

  • Azure AD-joined device: Join your Windows 10 or later devices to Azure AD without needing to join them to your on-premises Active Directory

    • Supports Windows 10 or later

    • Set up without requiring any additional configuration to your on-premises environments

    • By enabling a few settings in Azure AD, you can enable your users to join devices to Azure AD through the Windows setup experience (OOBE)

    • For more information, see How to: Plan your Azure AD join implementation

  • Hybrid Azure AD-joined device: Join your existing domain-joined devices to Azure A

Both options provide similar functionality for users. It's flexible for you to choose either one based on your needs. For example, you can access your on-premises resources from Azure AD-joined machines even though they aren't joined to Active Directory.

You can join devices to Azure AD in various environments, no matter your authentication method. For example, federated authentication, or cloud authentication.

If you already have an on-premises Active Directory, setting up either option is straightforward.


Joining devices to Azure AD provides the following benefits to your organization:

Single sign-on to cloud resources

On devices joined to Azure AD, you get an integrated experience accessing any cloud or on-premises resources. Once you sign in to a Windows machine that's joined to Azure AD, you get single sign-on to all applications without any additional sign-in prompts.

Windows Hello for Business

Windows Hello for Business brings strong password-less authentication to Windows. By joining your devices to Azure AD, you can enable Windows Hello for Business across your user base for both cloud and on-premises resources. Windows Hello for Business eliminates the problem of remembering complex passwords or inadvertently exposing them. Its sign-in process is both simple and secure.

For more information, see Windows Hello for Business.

Device-based conditional access

Enable conditional access based on the device state to better protect your organization's data. Device-based conditional access requires a managed device. This device must be a compliant device or a hybrid Azure AD-joined device. For Azure AD-joined devices, you need Intune to mark the device as compliant. But for hybrid Azure AD-joined devices, the device state itself is used to evaluate conditional access. Co-management provides you the additional advantage of evaluating compliance through Intune for hybrid Azure AD-joined devices. This feature makes sure the device configuration is intact.

For more information on device-based conditional access, see How To: Require managed devices for cloud app access with conditional access.

Automatic device licensing

All Windows devices joined to Azure AD go through license checks. These checks enable you to automatically upgrade them from Pro to Enterprise through the Microsoft cloud. When you remove the relevant subscription from the user, the device automatically downgrades its license. This feature provides a single pane of control for managing Windows licenses, without any complicated processes or on-premises systems.

Self-service functionality

Self-service functionality includes self-service password reset and BitLocker recovery key. Azure AD also provides you with direct options to reset your password or access BitLocker recovery keys. You can use Azure AD to reset your password directly from the Windows lock screen, instead of from a web browser. These features reduce friction for users and help cut helpdesk costs for your organization.

For more information, see Tutorial: Enable users to unlock their account or reset passwords using Azure Active Directory self-service password reset.

Enterprise state roaming

All devices joined to Azure AD can sync their settings to the cloud. Any device to which a user signs in syncs all their settings for a more productive experience.

Value proposition

Joining your devices to Azure AD through either method accelerates your digital transformation. It enables more functionality provided by Microsoft 365. You'll have better experiences, and you'll have greater security for your data.

Azure AD provides several options to ease your work load, for example:

  • Manage all the device identities in your organization from a single place.

  • Lower your helpdesk costs by enabling self-service password reset. Then you users can reset your password from the Windows lock screen on your device at any time.


If you already have an on-premises Active Directory environment, and you want to join your domain-joined devices to Azure AD, configure hybrid Azure AD-joined devices. For more information, How To: Plan your hybrid Azure Active Directory join implementation.

Configuration Manager has a client setting to Automatically register new Windows 10 or later domain-joined devices with Azure AD. For more information on configuring client settings, see How to configure client settings.

If you want to configure Azure AD-join for your devices without also joining them to your on-premises domain, review the considerations for Azure AD-join in your environment. Once you decided to go with Azure AD join, you have many options to deploy it based on your organization's needs. For more information, see the following articles: