Windows 7 offered just two ways to log in. Either with a local user account or if the device is joined to a domain, an Active Directory account. But in Windows 10, Microsoft supports a much wider variety of sign-in options, largely to support cloud and hybrid cloud scenarios. In this article, I’ll look at the available options for signing in to Windows 10.
Signing in with a local account is still possible in Windows 10. But Microsoft really doesn’t want you to do it. Whether you are installing Windows, running the OOBE setup experience, or configuring a new user account in the Settings app, Microsoft makes it hard for you to set up a local account.
A Microsoft Account is the default way consumers log in to Windows 10. Microsoft Accounts are those associated with Microsoft’s services, like Outlook and Skype. To use these services, you need a Microsoft Account. When you log in to Windows 10 with a Microsoft Account, you can access Microsoft’s services without entering your username and password each time. Secondly, your files, photos, contacts, and settings can follow you securely to any device where you log in with the same Microsoft Account.
In the same way that Windows 7 could be joined to a domain, Pro, Enterprise, and Education editions of Windows 10 can also be joined to an Active Directory (AD) domain. The only difference is that joining a domain is also exposed in the Accounts section of the Settings app.
You don’t need to join a Windows 10 device to your Azure Active Directory (AAD) domain to use AAD for authenticating to apps and services. But nevertheless, it is possible to perform an ‘AAD Join’. Much like signing in with a Microsoft Account, joining a device to AAD provides a single sign-on experience for apps that rely on AAD for authentication, like Office 365.
AAD Join is intended for scenarios where organizations own the devices and where a management alternative to AD, Group Policy, and System Center is required. Unlike Device Registration, Azure AD Join is only supported on devices running Windows 10. AAD Join can be configured as part of OOBE setup or after installation using the Settings app. When a device is joined to AAD, users enter their AAD email and password directly on the Windows 10 sign-in screen.
In Bring Your Own Device (BYOD) scenarios, users can register devices with Active Directory instead of performing a full join. Azure AD Device Registration provides single sign-in and seamless multi-factor authentication for apps and services that use AAD. Users can also access on premise apps via an on-site Web Application Proxy (WAP) and ADFS Device Registration Service (DRS) with the help of Azure AD Device Writeback. Enrollment with Mobile Device Management (MDM) is optional.
Devices registered with Azure AD get an identity that’s used to authenticate them when users sign in. AAD can access device attributes for implementing device-based conditional access, making sure certain device requirements are met before issuing security tokens for applications. When a device is registered with AAD, users enter their local, AD domain, or Microsoft Account credentials on the Windows 10 sign-in screen but their AAD account is connected to the user profile.
Workplace Join has been replaced by Device Registration in Windows 10. Workplace Join allows computers running Windows 7 and Windows 8.1 to register with on premises Active Directory via Active Directory Federation Services (ADFS). You can download the Workplace Join client from Microsoft’s website here. Device Registration works in Windows 10 and Windows 8.1. And unlike Azure AD Join, Azure AD Device Registration works on Windows, Android, and iOS.
If you have an on-premises Windows Server Active Directory domain, you can also register devices with AAD to take advantage of conditional access to ensure that users are accessing resources from devices that meet your security requirements. You can use Azure AD Connect to configure Hybrid AAD Join. AD-joined devices can also be automatically registered with AAD.
Windows 10 version 1809 support Web Sign-In for devices that are joined to Azure AD. Web Sign-In provides support for non-ADFS federated providers that use Security Assertion Markup Language (SAML). Web Sign-In must be enabled in policy for it to appear as an option on the Windows 10 sign-in screen.
In this article, I described the different ways users and devices can authenticate in Windows 10.