Nov 2018

What is Intune MDM Enrollment vs. Azure Workplace Join?

When you join a Windows machine in the traditional way to a network, you have the choice of joining a workgroup or a domain.  A workgroup has limited features.  It really just gives just each device the ability to share files with one another and that is about it.  A domain was a far better choice in most instances because it offers all of the management and security abilities you need in an enterprise.

I use that analogy to describe the difference between MDM Enrollment and Azure Workplace.   Azure Workplace join is not the same as Intune MDM. 

It is however a first step to enrolling in MDM because a device has to joined to Azure AD before it can be enrolled in Intune.  With Azure Workplace, you’re really just “half way there” (as the man to Bon Jovi would say, well, sing really.),

And there is really minimal of advantages to just being "half way" there. 

Azure Workplace is really just about allowing other people to bring their own devices (BYOD) to join your Azure AD and enjoy a few benefits such as:

  • single-sign-on (SSO) functionality to cloud services
  • access to the Windows store
  • ability to logon a device using an organizational work or school account

What you can’t do with Azure Workplace is:

  • Deploy applications or
  • Manage settings or
  • Lockdown a machine
  • Wipe it
  • Control it. 

All of that takes full MDM enrollment.  But if you are looking for a quick way for a dozen temp workers or contractors to join your Azure AD, it is ample to get the job done.

You can tell if your device is only Azure Workplace joined.  If you click “Manage your account on your Windows Profile page, the page will open in a web browser.  In the screenshot below, you can see where the computer is only “Workplace joined” and not MDM enrolled.

But you can see for yourself if you click on the flag, click Manage your account, and open the page in a Browser, like Edge. You’ll see in Figure 2.23 where the computer is merely “Workplace joined” and not MDM enrolled. 

Note the Windows flag like icon which is also an indicator of Workplace joined status.  If the machine were MDM enrolled, it would be replaced by a briefcase.  In the end, if you want the full Monty, you need to complete the two-part process and become MDM enrolled on top of merely registering with Azure.

Brent Allen

what's the two-part process to become MDM enrolled?