Thought I’d make some notes around Azure AD Hybrid while the details are all bouncing around in my head.
What is Azure AD Hybrid?
A Windows device can be Domain joined, where you change it from a WorkGroup to a domain and authenticate against a domain controller, then the computer gets created in Active Directory. It can also be Azure AD joined, where you use your work account to join the device straight to Azure Active Directory. The later is the modern method, can only be done in Windows 10 as far as I know and really is only designed for someone who’s on the Microsoft 365 suite of products (think of InTune as a part of that ), and you either don’t need legacy on-prem connections, or can do some trickery around giving access to things where you’d historically use on-prem Active Directory authentication.
There is a third option though, that came out of the need for users to have connections to both worlds = Azure AD Hybrid. This lets you add a domain joined device to Azure AD at the same time, but needs to be done in that order. This is supported in Windows 10 (called Windows Current Devices) as well as Windows 7/8/8.1 (called down-level devices), but I’ve only tested this in Windows 10. There’s more work and steps to support down-level devices.
Why would I want Azure AD Hybrid?
There’s a bunch of reasons! A lot of the cool new features you can leverage for identity and devices coming out of Azure AD won’t work at or, or as nicely, on a pure domain joined device:
Windows Hello for Business
Seamless Single Sign-On (SSO) with Passthru Authentication (PTA)
Windows Store for Business
Enterprise compliant roaming
Conditional Access gives options for a better user experience rather than just forcing MFA in all scenarios. One of the options I like, is allowing an Azure AD Hybrid joined device to access a resource without anything beyond a password. This means that combined with Seamless SSO and PTA, a user can take their laptop anywhere, log onto Windows, and access resources without any other requirements. However, if they try to access a resource from another device, they’ll be challenged for another authentication method. Even better with Windows Hello for Business fingerprint or camera login, but that’s a whole other topic.
How To Set Up Azure AD Hybrid
I won’t go into too many details on this, as there’s excellent documentation already that covers both ADFS and non-ADFS users. Unless you already have ADFS, you most likely don’t need it, and it’s not the recommended method, as ADFS itself is much more complex (but fully works and is supported).
Very high level, the two steps are:
- Configure Azure AD Connect for Azure AD Hybrid Join using the setup/configuration wizard
- Enable “Register domain-joined computers as devices” via Group Policy under Computer Configuration > Policies > Administrative Templates > Windows Components > Device Registration.
That’s really it. Read the documentation though, there’s a lot to consider – but the end result should have no impact on users. They won’t know or see that their device is Azure AD Hybrid joined, and you can’t even see it (at the time of writing) via GUI settings.
How to see if a device is Azure AD Hybrid Joined
On a PC itself, you can run the command ‘dsregcmd /status‘ from a command prompt. The very first line of the results will show ‘AzureAdJoined : YES’ or ‘AzureAdJoined : NO’. Pretty straight forward! You’ll see a lot more information in the other results when it is joined.
You can also test if a device is Azure AD Joined with the PowerShell command ‘get-msoldevice -deviceId <deviceId>’ using the computer name as the deviceid. You’ll either get a result back or you won’t, again it’s pretty clear.
If it’s not joined and you want to work out why, it gets a bit tougher. There’s a great blog post here on troubleshooting, but you can always log a case with Microsoft to get some assistance.
I’m haven’t come across or read any reason to not set up Azure AD Hybrid, as long as you’re in a position where you’ve already got all users and devices syncing already. Seamless Single Sign-On and Passthru Authentication is a great reason in itself to head down this path, as the user experience is a lot nicer without the constant re-entering of passwords.