Disclosed are various approaches for preauthorizing the joining of a client device to a domain managed by a cloud-based directory service. An authorization token can be generated prior to a client device joining the domain. The authorization token can be subsequently installed on a client device at an OEM facility. When a user first logs into the client device, the client device can send the authorization token to the cloud-based directory service in lieu of administrative credentials to prove that the client device has been previously authorized to join the domain.