What is Entra ID Enterprise State Roaming?

In today’s Ask the Admin, I’ll walk you through Microsoft Entra ID Enterprise State Roaming (ESR) feature, which is available for customers with an Microsoft Entra ID Premium subscription. Enterprise State Roaming simplifies settings synchronization across devices.

If your organization uses Microsoft Entra ID (Azure AD), or Azure AD and Windows Server Active Directory, Enterprise State Roaming brings the ability to sync user settings and app data between devices, much like what is provided in Windows 10 by using a Microsoft Account and OneDrive.

Azure AD is the directory services cloud-based sibling of Windows Server Active Directory. It provides a subset of AD’s features to customers in the cloud. ESR can be used in conjunction with Azure AD to provide the benefits of synchronized settings, as enjoyed by consumers using Microsoft Accounts, but with the extra security required by business. For more information, see Join Windows 10 to Microsoft Entra ID on the Petri IT Knowledgebase.

Unlike consumer synchronization capabilities in Windows, Enterprise State Roaming gives organizations the control needed to make sure data stays safe, and that it is separated from consumer account data. ESR settings and app data are stored in an Azure region that’s selected based on the country associated with the Microsoft Entra ID tenant, and ESR provides control and visibility over who is syncing what.

ESR uses Azure Rights Management (Azure RMS) to ensure that data is encrypted before it leaves Windows, and that it remains encrypted when at rest in the cloud, with the exception of namespaces that represent ‘settings’ names and modern Windows apps. A separate subscription for Azure RMS isn’t required to use Enterprise State Roaming.

Windows 10 devices – Version 1511, Build 10586 or greater – joined to Azure AD can still have Microsoft Accounts. But OS settings and app data will only roam with the primary Azure AD account, although Microsoft plans to add multiple identity support in a future version of Windows. Equally, logging into a personal device using a Microsoft Account doesn’t support synching of roaming data for apps purchased using an Azure AD account.

How to Enable Enterprise State Roaming in Microsoft Entra ID 

To enable Enterprise State Roaming, follow the instructions below.

• Log in to the Azure management portal.
• Scroll down the menu on the left and click Active Directory.
• Select a directory on the right and switch to the CONFIGURE tab.
• If your region and subscription support ESR, you’ll see USERS MAY SYNC SETTINGS AND ENTERPRISE APP DATA under the available settings.
• From there you can select ALL, SELECTED or NONE, which is the default setting.

ALL allows you to enable ESR for all users, and SELECTED allows you to choose specific users or groups.

• Once you’ve picked the desired setting, click SAVE to finalize the Enterprise State Roaming setup.

User synchronization settings can be set under Accounts in the Windows 10 Settings app.

FAQs

What are the licensing requirements for Enterprise State Roaming beyond Azure AD Premium?

Enterprise State Roaming requires Windows 10 Enterprise, Education, or Microsoft 365 Business licenses in addition to Azure AD Premium. Organizations must ensure all devices accessing Enterprise State Roaming features have compatible licensing.

Can Enterprise State Roaming work in hybrid cloud environments?

Yes, Enterprise State Roaming can function in hybrid environments where organizations maintain both on-premises Active Directory and Azure AD through federation. This enables seamless state roaming while maintaining existing infrastructure.

What bandwidth considerations should be made when implementing Enterprise State Roaming?

Enterprise State Roaming synchronization requires consistent network connectivity. Organizations should plan for additional bandwidth usage, especially during initial sync periods and when many users are simultaneously roaming settings across devices.

How does Enterprise State Roaming handle conflicts when multiple devices sync simultaneously?

Enterprise State Roaming uses a “last writer wins” conflict resolution policy. When conflicting changes occur from different devices, the most recent change is preserved and synchronized across all devices in the roaming set.

What recovery options are available if Enterprise State Roaming settings cause issues?

Enterprise State Roaming maintains multiple backups of synced settings. Administrators can restore previous versions through Azure portal, and users can reset their sync data through Windows settings if problematic configurations occur.