• Different Azure AD Join Types

    It can take some research and tests to understand the difference between different Azure AD join types.

    I summarised some key differences in the following.

    Difference betweenAzure AD registeredAzure AD joinedHybrid Azure AD joined
    Primary audience        Bring your own device (BYOD) Mobile devicesOrganizational computerOrganizational computer
    OSWindows 10, iOS, Android, and MacOSWindows 10 devices (except Windows 10 Home) Windows Server 2019 Virtual Machines running in Azure (except Server core)Windows 10, 8.1 and 7 Windows Server 2008/R2, 2012/R2, 2016 and 2019
    Device sign in optionsLocal account Windows HelloOrganizational account in Azure AD Windows Hello for BusinessOrganizational account in on-prem AD Windows Hello for Business
    Sign in authenticate toLocal computerAzure ADOn-prem domain controller
    Device managementMDM (Intune)MDM (Intune)MDM (Intune) and Group policy
    SSOSSO to cloud resourcesSSO to both cloud and on-premises resourcesSSO to both cloud and on-premises resources
    Self-service Password ResetOnly for local accountFor Organizational account at login/lock screenFor Organizational account at login/lock screen

    As more and more staff work from home, IT starts to consider solutions to allow remote identity management without relying on line-of-sight to domain controllers. so:

    • If you want to login to a computer by authenticating to Azure AD, you will need to unbind the computer from on-prem AD then bind to Azure AD. A hybrid Azure AD joined computer will still authenticate to your domain controller
    • Microsoft recommends to use the MDM-only approach to manage all Azure AD joined devices, instead of co-management with SCCM.
  • Auto-create Default Outbound NSG for Servers in Azure


    In Azure, Network Security Group (NSG) is a basic firewall containing a list of security rules.

    NSG can be associated to subnets, individual NICs or both.

    By default the outbound NSG for a subnet allows all outbound traffic, which is not secure for servers.

    There are discussions [1] [2] on how to limit the outbound traffic while allowing traffic to Azure infrastructures required by different services like Windows updates.

    I found that existing methods created hundreds of rules which are difficult to maintain. This post introduces a method to create a single rule the allows the outbound traffic to all Azure IP ranges.


    Code – new

    The following script uses Azure Powershell az.

    As it doesn’t support GUI yet so there are more parameters to set before running it.

    Code – old

    The following script uses Azure Powershell.

    Adjust the 3 parameters before running it.

    After running the code

    After defining these Azure-related outbound rules, you may need to add some additional rules to permit outbound access to other legitimate non-Azure services, such as

    • public DNS servers
    • email services
    • kms.core.windows.net:1688
    • APIs,
    • etc, that your applications may also need to access

    Then, you can create a rule at the end of the NSG to block all outbound traffic.


    [1] https://blogs.technet.microsoft.com/keithmayer/2016/01/12/step-by-step-automate-building-outbound-network-security-groups-rules-via-azure-resource-manager-arm-and-powershell/

    [2] https://serverfault.com/questions/888645/nsg-block-all-outbount-internet-traffic