Create Provisioning Package for Azure AD
Enable bulk enrollment of Windows devices to Entra ID.
Overview
This guide explains how to create a provisioning package enabling Windows 10 and Windows 11 devices to bulk join Entra ID, with instructions for testing before uploading to the Cloudiway portal.
Provisioning Package Workflow
Prerequisites
- • Windows Configuration Designer (WCD) must run on a device already joined to the target Azure AD tenant
- • Install WCD from Microsoft Store
Package Creation Steps
Launch WCD
Open Windows Configuration Designer and select "Provision Desktop Devices"
Enter Project Details
Name your project and confirm settings
Setup Device
Configure naming convention (example: CIW-%RAND:5%)
Setup Network
Configure WiFi settings if needed for enrollment
Account Management
- • Select "Enroll in Azure AD"
- • Set token expiration matching deployment end date
- • Click "Get Bulk Token" (redirects to browser for Azure AD login)
- • Generate the token
- • Optionally configure local admin account
Skip Optional Steps
Skip Applications and Certificates unless needed
Create Package
Complete and generate the provisioning package file
Testing the Package
Before Using in Cloudiway
Manually test the package on a device to verify successful Azure AD join.
Verify Join Status
After reboot, run this command in command prompt:
dsregcmd.exe /statusMFA Policy Configuration
Critical: Exclude Provisioning Account
If automatic enrollment for Windows devices is enabled, create an MFA exclusion for the provisioning account to prevent immediate device deletion due to non-compliance.
Steps
- 1. Edit the MFA Conditional Access policy
- 2. Add the provisioning account to exclusions
- 3. Save the policy changes