Configure Hybrid Azure AD Join – Part 1: Overview

This is part 1 of a 4 part series on configuring Hybrid Azure AD Join:


What is Hybrid Azure AD Join?

If your using Office 365 today, or any Microsoft cloud service, you already understand the need and the benefits of synchronizing your user identities to Azure. Extending your on-premise user accounts into Azure allows you to provide access to cloud services, protect your assets, and optimize the overall experience for the user. Now imagine if you can do the same for your devices. Your devices that are joined and trusted to your on-premise AD domain can also be extended to Azure in the same manner, and experience the same benefits. Think of your device as another identity – this is called a Hybrid Azure AD Join.

For more information, take a look at the Ignite 2018 session – Joining devices to Azure Active Directory in a hybrid world – THR2238

Benefits of Hybrid Azure AD Join

There are plenty of reasons to extend your device management into Azure and here are just some of the benefits:

  • Device-based conditional access – you can find an example of this here.
  • Enabling Autopilot for on-premise devices – more information can be found here.
  • First step to adopting Modern Management.
  • Single Sign-On (SSO) to cloud and on-premise apps/resources.
  • Enable features like Enterprise State Roaming and Windows Hello for Business.

Deployment Scenarios

When planning to implement hybrid join, decide what client OS you want to target. Although each have their own set of requirements and considerations, Hybrid Azure Ad Join supports both Windows current devices (Windows 10 and Server 2016) and Windows down-level devices (Windows 7, 8.1 and Server 2008 R2, 2012, 2012 R2). When planning your hybrid join deployment, I would suggest reviewing the requirements and considerations for Windows down level devices before determining if they are a necessity prior to implementation.

Configuring Azure AD Hybrid Join depends on how you manage or are looking to manage hybrid identity today. There are three different scenarios, and they are:

  • Managed domain
  • Federated domain
  • Manual configuration

If you are using a more recent version of the Azure AD Connect tool (version 1.1.819.0 or later) than the configuration process for a managed or a federated domain is very simple. If you are not on this version of the Azure AD Connect Tool, I highly suggest you upgrade before implementing hybrid join.

Managed domain – follow this scenario if you are using or looking to use Pass Through Authentication (PTA) or Password Hash Sync (PHS) with a supported version of the Azure AD Connect Tool.

Federated domain – follow this scenario if you are using or looking to use Active Directory Federation Services (ADFS) with a supported version of the Azure AD Connect Tool.

Manual configuration – If you are not using a supported version of the Azure AD Connect Tool and do not plan to upgrade it, or use a 3rd party federation, than you will have to follow the manual configuration path.

In the next parts of the series, we will take a deeper look at each of the configuration paths for Hybrid Azure AD Join and also configuring Windows down level devices.

Close Menu