Windows 10 includes “Work Access” options, which you’ll find under Accounts in the Settings app. These are intended for people who need to connect to an employer or school’s infrastructure with their own devices. Work Access provides you access to the organization’s resources and gives the organization some control over your device.
These options may seem a bit complicated, but they’re really not. If you need to use Work Access, your organization will give you connection information and explain what you need to do to set things up and gain access to the organization’s resources.
What Are Work Access, Azure AD, and Device Management?
The “Work Access” options are intended for situations where you own your own computer and need to use it to access work or school resources. This is known as a “bring your own device,” or BYOD, scenario. The organization provides an account and various resources to you. These resources can include enterprise apps, certificates, and VPN profiles, for example. You give the organization some control over your device so it can be remotely managed and secured. How much control the organization exerts over your device is up to that specific organization and how its servers are configured.
This is an alternative to joining computers to a domain. Domain-joining is intended for devices an organization owns, while devices owned by employees or students should use Work Access options instead.
There are actually two Work Access options on this screen: Azure AD and Device Management.
- Azure AD: As Microsoft’s Azure documentation explains, Windows 10 allows you to add a “work or school account” to your computer, tablet, or phone. The device is then registered in the organization’s Azure AD server and can be automatically enrolled in a mobile device management system–or not. That part is up to the organization. Administrators can apply different, less-restrictive policies to these personally-owned devices than they would to fully domain-joined employer-owned devices. The account provides single sign-on to work resources and applications.
- Device Management: Azure AD can optionally enroll your device in an MDM, or mobile device management, server. However, you can also directly connect a Windows 10 device to a device management server. The organization that controls the server will then be able to collect information from your computer, control which apps are installed, restrict access to various settings, remotely wipe the device, and do other such things. Organizations also use MDM servers to remotely manage iPhones, iPads, and Android devices, so this allows Windows 10 devices to fit right in.
But you don’t really need to know all that if you need to use Work Access. Your organization will provide information about how to connect. After you connect, your organization can apply the company policies they prefer to your device. You can then access the organization’s resources.
How to Sign In to Azure AD
To sign in to an Azure Active Directory server, open the Settings app, select “Accounts,” select “Your Email and Accounts,” scroll down, and click “Add a Work or School Account” under Accounts Used By Other Apps.
You can also go to Settings > Accounts > Work Access and click “Add a Work or School Account,” but you’ll just be taken to the Your Email and Accounts screen anyway.
Enter the email address provided by your organization and its password to connect with the Azure AD server. The organization will provide information about accessing any resources and explain what you need to do next.
The account you add will appear as a “Work or School Account” under Accounts Used By Other Apps at the bottom of the Settings > Accounts > Your Email and Accounts screen. You can click or tap the account and remove the account from here, if you need to.
On the Azure AD side, your organization can view your connected device, provide resources to it, and apply policies.
How to Enroll in Mobile Device Management
You can also enroll your device in device management, also known as mobile device management or MDM, from here.
To do so, visit Settings > Accounts > Work Access, scroll down, and select “Enroll in to Device Management.”
You’ll be asked to provide the email address you need for the MDM server. You’ll also need to provide the server’s address if Windows can’t automatically discover it. Your organization will provide this server information to you if you need to connect.
To join a traditional Windows domain instead, if your organization provides one, select “Join or leave an organization” under Related Settings at the bottom of the Work Access pane. You’ll be taken to the Settings > System > About pane where you can join your device to a either a domain your organization hosts or a Microsoft Azure AD domain.