Improving Application Security with Domain Join and Device Registration in Azure

In a previous blog on Azure App Proxy we noted the ability to improve security in published applications using conditional access policies, which allow you to configure access based on group, location and specific application sensitivity.

Application sensitivity has become important for adding extra levels of protection to make sure access is not given to users who are potentially not who they say they are, or passing secure information onto an unmanaged device. One of these levels of protection is to verify that the machine connecting to the application is a domain joined machine within the organisation and therefore known to be in a good secure state with up-to-date Anti-Virus, security group policies and possibly BitLocker drive encryption.

To enable this feature the device must be known to Azure Active Directory. This can be configured for Windows 7-10 by enabling the device to accept automatic device registration settings. The environment must be running an up-to-date version of Azure AD Connect to keep the association between the computer account in your Active Directory and the object in Azure Active Directory.

Once this has been completed, the computer object will be present in Azure Active Directory allowing conditional access policies to accept the machine is a member of the organisation's Active Directory.

Subtle differences from Azure AD Join, the Domain Join with Device Registration combined together, allow clients to remain managed by on premises tools but still take advantage of reduced logins for cloud applications and security policy assignment.

Taking the first step to integrating services with Azure from your on-premises systems allows your organisation a more dynamic implementation of the journey to the cloud. For more information on these services, or how you can transition to using a hybrid cloud model for your business, please contact EACS.