When organizations are starting their journey to the cloud, they are most likely starting off by joining their Windows 10 machines to both their local Active Directory domain and Azure Active Directory in a Hybrid Azure AD Join. That way, they can enjoy the power of the cloud, while keeping all the legacy applications that depend on AD DS running.
If you are running Hybrid Azure AD Joined devices, should you care about joining devices to Azure Active Directory?
The very simple is: ‘yes, you should’. Joining your machines to Azure AD has a plethora of benefits over Hybrid Azure AD Join.
The first advantage is pretty obvious; as you don’t join to the local domain anymore computers have no need to be in a line of sight of a domain controller. As more users are working from home, being able to sign-in from home and authenticate to Azure AD is a huge benefit. It enables the users to change their password without the need to be connected to the domain and makes sure a computer never looses it’s domain connectivity.
Secondly, a lot of Microsoft’s latest products were created with Azure AD in mind and work much better this way. Two important features are:
- Windows Autopilot
- Windows Hello for Business
Both support a hybrid setup, but setting it up can be a real pain in the ass. They require a bunch more prerequisites and tend to be more error prone than their cloud counter parts.
The last advantages might not be that obvious, but joining your computers to AAD will mix things up and make it more difficult for attackers to move laterally between computers. It is possible, but it’s a bit trickier than doing it on a local domain. Granted, the attackers will catch up soon, but it’s a small benefit 🙂
After saying this, I get the following remark a lot:
We still require our on-premises domain to authenticate to our servers and fileshares.
A lot of companies think that an Azure AD Join and local domain cannot go hand-in-hand, while in fact they work perfectly together.
As long as your users are created in your local domain and sync’ed with Azure AD connect, your users are able to access on-premises resources through SSO.
Co-Management with MEMCM
As Azure AD has no built-in replacement for GPO’s, they need to be replaced somehow (as I really don’t recommend joining computers to AAD without having a central form of management). The obvious replacement is Intune, as it’s Microsoft’s cloud native product which enables management of both Windows 10 and mobile devices.
Intune has come a long way these last few years, but still isn’t up to par with it’s big brother Configuration Manager. Intune is perfect for small and medium companies, but some companies need a more granular form of management that Intune doesn’t offer.
By deploying the CM client to the Windows 10 device from Intune, we can reach a co-management state without the need for an on-premises domain. This way, the device is joined to AAD, but can be managed by both Intune and MEMCM.
With co-management, you can still use your MEMCM policies on your new devices. As a bonus, you can push configuration items and baselines to devices if you have to manage settings that cannot be accessed easily by Intune
Migrating from a local domain to Azure AD means stepping out of the local domain, logging in with a local admin and joining to Azure AD.
Because the SID of an on-prem and cloud user is different, a new user profile will be created when he logs in with it’s AAD credentials. This makes migrating users to AAD somewhat tricky.
There are some tools on the market which can automate the migration of the data and settings to the new user profile:
Personally, I am a fan of a more granular approach. As the impact of such a migration can be pretty big. I recommend migrating to an Azure AD Join on a slower pace by joining new machines to AAD while keeping the existing machines alone.
This way, the impact to the user is minimal and it gives you time to work out the kinks with the new management system.
Obviously joining all your machines to Azure AD isn’t right for every organization, but there are a lot of benefits to it.
In my opinion, every organization should assess this move and weigh the advantages.