One of several big Windows 10 announcements from Ignite last week was the integration of Azure AD and Windows 10. If you’re not familiar with Azure AD Sync Services (formerly DirSync), it allows the synchronization of user accounts (and passwords) between your local Active Directory environment and Azure where those credentials can be automatically be used to provision Office 365 email accounts, for instance. This type of federation allows Office 365 users to sign in directly to their organizational email accounts directly from outlook.office365.com.
Starting with Windows 10, users will be able to log into Windows using the same organizational account. This is similar to how you can use a Microsoft account (formerly Windows Live ID) right now, but it also brings additional management capabilities along with it. The initial sign-in process can be done right out of the box on new devices without any prior device deployment/management or being part of a domain. Essentially, this will allow users to provision their own devices. MDM policies can be applied to systems, SSO is be enabled for cloud applications (Lync/Skype for Business, Outlook, etc), and OS state roaming is available to synchronize settings (WiFi, wallpaper, OS settings) automatically between devices. Basically, this is the ultimate BYOD scenario.
During the Window setup experience, users will be able to choose “This device belongs to my organization” to sign into Azure AD.
Next, they can use their Azure AD credentials to sign in, just like Office 365.
If a matching tenant is found for the domain, users can proceed to sign in through ADFS or Azure AD.
MDM enrollment happens next.
Now the user would be signed into their organizational account on their Window 10 system. Pretty impressive considering that they provisioned it all by themselves, right? Having a single, federated account for all services and devices has some pretty big potential down the road.
For more information on this new feature in Windows 10, see this blog post on TechNet.