Enterprise State Roaming – everything’s possible when Azure AD and Windows 10 work together

Starting with Windows 8.1 I noticed that when I change my laptop, most of the settings and favourites will be there on the new device. This was a great thing! However, I asked myself if this would be possible also when changing my company laptop. With Azure AD and Windows 10 this is now possible, using a new feature called Enterprise State Roaming. 

The preview for Enterprise State Roaming was rolled out few weeks back and global availability still needs to be announced. However, some of the great benefits of this new service are:

  • Separation of corporate and consumer data – No mixing of enterprise data in a consumer cloud account or consumer data in an enterprise cloud account.
  • Enhanced security – All the data is automatically encrypted before leaving the user’s Windows 10 device by using Azure Rights Management (Azure RMS), and data stays encrypted at rest in the cloud. All content stays encrypted at rest in the cloud, except for the namespaces, like settings names and Windows app names. By the way, you don’t need a separate paid Azure RMS subscription to use this service. Microsoft provides free limited use Azure RMS service restricted for Enterprise State Roaming use.
  • Better management – More control and visibility over who syncs settings in your organization and on what devices.

In Windows 8 and 8.1 the OS settings were synced through the connected Microsoft Account and the settings were stored on OneDrive. Enterprise State Roaming relies, on the other hand, on Azure AD Join so all settings are synced through the work or school account (Azure AD Account) and are stored using Azure storage. The main idea is to have a total segregation of personal and corporate data. Important is that in this type of scenario you need to login to the device with your Azure AD account.

There is still the possibility to add a secondary and personal Microsoft account, however, in this scenario you would have to take into consideration that OS settings will be always synced using your primary account. So if your primary account is a work or school account (Azure AD account), then your OS settings will be synced via Enterprise State Roaming and stored in Azure storage. If your primary account is a personal Microsoft account, then OS settings will be synchronized on your consumer OneDrive account.

When coming to application data, please note that this type of data is synced based on the identity of the app acquisition. So, if you purchased your app from the Windows Store for consumers, app data will be synchronized through your Microsoft account. If you app was acquired from your Company Portal, for example, app data will be stored in Azure storage using Enterprise State Roaming.

What we have here is basically the total separation of the personal security realm and the corporate security realm. And this separation will be always made based on the account you use for login.

If you want to go into more details, you may want to read the Azure AD blog post that better describes Enterprise State Roaming. This is, however, a very cool new features that basically brings the cloud to enterprises, by allowing them to create a great end user experience using the power of the cloud.

Dan Patrascu-Baba

Partner Technical Consultant at Microsoft
Azure PaaS and dev consultant, working for Microsoft. Mostly dealing with Microsoft Azure services, ASP.Net Core, AngularJS, Javascript. Helping partners and customers to write good code and to architect their cloud and hybrid solutions.

One thought on “Enterprise State Roaming – everything’s possible when Azure AD and Windows 10 work together

  1. Pingback: Azure AD Connect - how to manually trigger a synchronization - danpatrascu.com

Leave a Reply

Your email address will not be published. Required fields are marked *