To this day a hybrid environment (connecting your on-premises AD with Azure AD) is considered the gold standard by many and is widely used by a lot companies and organizations. Show
There’s a reason for it. You’re getting the best of both worlds: high scalability and flexibility without making your security suffer, great device management both on-prem and in the cloud, Line of Business application support, and more… If you’re one of the people who has wisely chosen to use this infrastructure model, then you will definitely benifit from something called Hybrid Azure AD Join. Now… I know, the word is quite a mouthful, but once you get to know this useful tool you will see how much it can help with managing devices in a hybrid environment. What is Hybrid Azure AD joinWhen you ‘Hybrid join’ a device, it means that it is visible in both your on-premises AD and in Azure AD. Now you can manage them in both as well. This way, you are able to use tools such as Single Sign-On and Conditional Access while still being able to apply GPO’s and other on-prem utilities.Furthermore, by enrolling them in Intune, you will be able to manage the devices even more and give them some extra cloud capabilities. Setting up Hybrid Azure AD joinLet’s start looking into how we will set up Hybrid Azure AD join. First we’ll look into the requirements for this particular demo and then we’ll look at how to get it to work. In Part two we will cover how to automatically enroll devices in Intune and how to then test them. RequirementsOur test-environment will consist of:
You also want to make sure you have access to both an on-prem Administrator and an Azure AD Global Administrator. If you want to further test your Hybrid Azure AD joined device of its capabilities after setup, an Intune license is needed. Configure Azure AD ConnectFirst step is to open up your Azure AD Connect: After that you will see a whole list of options you can configure, the one we’re looking for is: Configure device options. After that, click Next on the Overview page. You will now be prompted to enter your Azure AD Global Administrator credentials, fill those in. Now, you guessed it, select Configure Hybrid Azure AD join. After that, select the forests you want to configure in the SCP configuration screen: Finally click Configure and, after a little wait, you’ll be greeted with this beautiful sight: Checking our configurationNow we have to make sure that our configuration of Hybrid Azure AD join was succesful. Since Windows 10 devices are hybrid joined automatically, the most valuable tool we have is our patience. Speaking from experience, this could take quite some time (at least 5 minutes or more). Reboot your device and go ahead and get yourself a nice cup of coffee, you earned it! Seriously though, there are multiple ways we can check if our device is hybrid joined. Open the command prompt and enter: dsregcmd /status If it says AzureAdJoined : YES, then you’re halfway there! If it still says NO after rebooting and waiting 10 more minutes, try following this troubleshooting guide. Key here is to check Event Viewer logs for errors and figure out what went wrong (Hybrid Join logs are located under Applications and Services Log > Microsoft > Windows > User Device Registration). Now to check in the Azure AD device list. Try rebooting and log in/out a few times to give this process a little push. Once the device is registered, you’re done! You can now manage your device in both your on-prem AD and your Azure AD. If you want to know how to auto-enroll devices through a GPO and then manage them in Intune, be sure to check out Part two.
In our previous post, we covered how to set up computers using Windows Autopilot. While the main scenario is to join computers to Azure AD, leaving the on-prem domain aside is for sure not realist in many cases. Microsoft has added the ability to join the On-prem domain as part of the Autopilot setup. This feature is still currently in Preview, but worth testing and checking it out. In this post, we will detail the requirements and how to configure Azure and on-prem AD to allow Hybrid AD to join computers. Intune Autopilot Hybrid AD joined computers allows seamless integration. This post is part of a series on Windows Autopilot that will be published in the following weeks. In the next posts, we will cover the following subjects : Intune Autopilot Hybrid AD joined Requirements
High-level steps
Delegate Active Directory rightsBefore we move on to set up the AD delegation, the server that will be used to host the Intune Connector needs to be chosen. This server requires to run Windows Server 2016. Because will be delegating rights on an OU, we created a new one. This is not mandatory to have a dedicated OU.
Install and configure the Intune ConnectorThe server that will have the Intune connector must be running Windows Server 2016, have internet access and can talk to the Active Directory
Configure Autopilot profile for Intune Hybrid AD joinedIf you currently have an Autopilot profile to Azure AD join, it will not be possible to modify it. So we’ll create a new one.
Create Domain Join configuration profileOnce the Autopilot configuration is completed, we need to create a Device configuration profile with the domain specific informations.
Testing the Intune Hybrid AD joinedAs mentioned earlier, the computer must be connected to the on-prem network and can access the domain before we initiate a reset. After completing the OOBE section, we can see under Intune/Devices that this specific device as the Device Configuration – Domain join with a state of Succeeded! Under Azure AD/Devices our new computer is now Hybrid Azure AD joined instead of simply Azure AD joined! Because SCCM is also on our domain, it automatically push out the SCCM agent. This means that the Co-Management must be up and running in order to fully complete the process from Intune, for example, to push default applications. Bottom line notesHere’s a few observations while testing the Hybrid AD join. Double computer with the same name While we haven’t found a clear statement on this, it seems normal that 2 computers with the same name are store in Azure AD. BitLocker recovery keys In our previous post, we stated that the recovery keys are stored under the Intune device/ Monitor/Recovery Keys. When doing the Hybrid AD join, this isn’t the case. The BitLocker recovery key will be stored on the on-prem AD object. Is this a feature? a bug? We don’t know… For more details about Hybrid AD with Autopilot, see Microsoft docs [ratings] |