Azure AD offers you the ability to ensure that users are accessing Azure resources from devices that meet corporate security and compliance standards. Device management is the foundation for device-based conditional access and is where you can ensure that access to the resources in your environment is only possible from managed devices.

Device settings can be managed from the Azure portal. To manage your device settings, your device needs to be registered or joined to Azure AD.

To manage your device settings from the Azure portal, follow these steps:

1. Navigate to the Azure portal by going to https://portal.azure.com.
2. From the left menu, select Azure Active Directory.
3. In the Azure AD Overview blade, under Manage, select Devices.
4. The Device management blade will open. Here, you can configure your device management settings, locate your devices, perform device management tasks, and review the device management-related audit logs.
5. To configure device settings, select Device settings from the left menu. Here, you can configure the following settings, which can be seen in the following screenshot:
   • Users may join devices to Azure AD: Here, you can set which users can join their devices to Azure AD. This setting is only applicable to Azure AD Join on Windows 10.
   • Additional local administrators on Azure AD joined devices: Here, you can select the users that are granted local administrator permissions on a device. The users that are selected here are automatically added to the device administrator's role in Azure AD. Global administrators in Azure AD and device owners are granted local administrator rights by default (this is an Azure AD Premium option).
   • Users may register their devices with Azure AD: This setting needs to be configured to allow devices to be registered with Azure AD. There are two options here: None, that is, devices are not allowed to register when they are not Azure AD joined or hybrid Azure AD joined, and All, that is, all devices are allowed to register. Enrollment with Microsoft Intune or Mobile Device Management (MDM) for Office 365 requires registration. If you have configured either of these services, All is selected and None is not available.
   • Require multi-factor authentication to join devices: Here, you can set that users are required to perform MFA when registering a device. Before you can enable this setting, MFA needs to be configured for the users that register their devices.
   • Maximum number of devices: This setting allows you to select the maximum number of devices that a user can have in Azure AD: 

6. To locate your devices, under Manage, select All devices. Here, you will see all the joined and registered devices, as follows:

7. You can also select the different devices from the list to get more detailed information about the device in question. Here, global administrators and cloud device administrators can Disable or Delete the device, as follows:

8. For audit logs, under Activity, select Audit logs. From here, you can view and download the different log files. You can also create filters to search through the logs, as follows:

Now, we have looked at all the different management and configuration options for devices that are registered or joined to Azure AD. In the next section, we are going to learn how to add custom domains to Azure AD.