Skip to main content

Entra Joined Devices

Microsoft Entra ID-joined devices are devices that have been joined directly to Microsoft Entra ID (formerly known as Azure Active Directory) without the need for an on-premises Active Directory (AD) environment. This option is primarily designed for Windows 10 and Windows 11 devices.

With Entra joined devices, users can sign in to their virtual machines using their Entra ID credentials, providing a seamless and consistent authentication experience across devices and cloud-based resources. It eliminates the dependency on on-premises AD infrastructure for authentication.

It is important to note that Entra joined devices are not a replacement for traditional domain-joined devices in all scenarios. Organizations with complex on-premises Windows infrastructure, specific group policy requirements, or the need for on-premises resource access may still prefer using Active Directory domain-joined devices. Frame does support the Microsoft Entra hybrid joined device model combining both Entra joined devices and on-premises Active Directory domain-joined devices. Refer to our official solution guide for further details.

Customers choose to use Entra joined devices for several reasons:

  • Simplified device management: Entra joined devices can be managed centrally through Entra ID, allowing for streamlined device management and configuration without the need for on-premises infrastructure.
  • Cloud-centric approach: Organizations that rely heavily on cloud services and want to leverage Entra ID's capabilities can benefit from Entra joined devices. It aligns well with a cloud-first strategy and enables tighter integration with Azure services.
  • Enhanced security and access controls: Entra ID provides advanced security features, such as conditional access policies and multi-factor authentication, which can be applied to Entra joined devices. This helps enforce strong security measures for accessing corporate resources.
  • Seamless access to cloud resources: Entra joined devices enable users to seamlessly access cloud-based applications and services integrated with Entra ID, such as Microsoft 365 and other SaaS applications, using their Entra ID credentials.

Supported Infrastructures and Operating Systems

Frame supports Entra joined devices Early Access for infrastructure configurations listed in the table below:

InfrastructureOS OptionsAccount TypeAdditional Details
AzureWindows 10 or 11, Windows Server 2019 or 2022Non-persistent and persistentA native Azure Virtual Machine Extension is automatically installed and used to join the Azure VMs to Entra ID during the publishing process.
AHVWindows 10 or 11PersistentEnd users must go through the Microsoft Windows Out of Box Experience (OOBE) procedure to join their assigned persistent desktop to Entra ID.

Prerequisites

Before you begin, ensure you have the following:

  • Entra ID Tenant:

    • A dedicated instance of Entra ID representing your organization's identity and access management in Azure.
    • For AHV users, set the option under Entra ID > Devices > Device settings > Users may join devices to Entra ID to either All Users or specific user groups allowed to join VMs to Entra ID.

  • Operating Systems:

    • Windows 10 and Windows 11: Professional, Enterprise, and Education editions only. (Home Edition does not support Entra joined devices.)
    • Windows Server 2019 and 2022: For Azure only.

  • Internet Connectivity:

    • Devices intended to join Entra ID must have internet connectivity to communicate with Entra ID and complete the join process.

  • Access to Frame:

    • Access to your Frame Customer, Organization, or Account entity as a Customer, Organization, or Account Administrator role.

  • Frame Account:

    • A Frame account created using your BYO Azure subscription (with Owner role) or on your AHV cluster.

Setup

The setup and configuration of Entra joined devices will differ, depending on the infrastructure. Select the appropriate infrastructure for further details.

Frame SSO Support

The Frame SSO feature can be be used for Entra joined devices, in addition to classic domain-joined instances. Refer to the Frame SSO documentation for details on how to enable and use Frame SSO.

Intune Mobile Device Management

Microsoft allows customers to manage their end-users' devices, including workload VMs, using the Microsoft Intune Mobile Device Management service. Since Microsoft recommends Intune be enabled only for persistent machines, Frame support for Intune is allowed only for Azure persistent desktop Frame Accounts.

note

AHV customers using persistent desktop Frame Accounts can still set up Intune in Microsoft Azure to manage end users' workload VMs.

Windows Hello for Business (WH4B)

Windows Hello for Business (WH4B) is a secure Windows 10/11 authentication method that enables users to sign in to their corporate devices and applications using biometrics or PIN, eliminating the need for passwords. It enhances security and simplifies the login experience for users. By default, many customers with Entra ID Premium Subscription will have WH4B enabled by default.

In order to set up PIN (as an example of one WH4B sign in option), please note that you need to enable User Account Control (UAC), which is disabled by default on Frame workload VMs. To enable UAC, login to your Sandbox and in prior to publishing, execute the PowerShell command as a Windows administrator:

Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system" -Name "EnableLUA" -Value 1 -Type DWORD

If all prerequisites for using WH4B are satisfied (e.g., using Gen2 instance types with vTPM chip), your end-users will be able to set up a PIN for access to their Frame desktop. As a best practice, WH4B should only be set up with persistent desktop Frame Accounts.