Blog Post

Microsoft Intune Blog
7 MIN READ

Understanding hybrid Azure AD join and co-management

Herman_Arnedo_Byrne's avatar
Herman_Arnedo_Byrne
Icon for Microsoft rankMicrosoft
Mar 18, 2021
As we talk with our customers that are using Microsoft Endpoint Manager to deploy, manage, and secure their client devices, we often get questions regarding co-managing devices and hybrid Azure Activ...
Updated Nov 09, 2023
Version 3.0
configuration manager
microsoft intune
Jason_Sandys's avatar
Jason_Sandys
Icon for Microsoft rankMicrosoft
Feb 22, 2023

Hi neurotoxic 

 

In an enterprise there are so many applications attached to AD DS

This is not a technically accurate statement. The apps themselves almost always rely on the core Windows capabilities using built-in authentication libraries and functionality. The applications themselves are wholly ignorant of the exact details of how they contact the directory to request authentication or how to actually perform that auth, they simply pass the info to a built-in function and operate on the returned info. Nothing about AADJ changes this or upsets this functionality. The only difference with AADJ is that Windows needs a little bit of additional info to direct the authentication request to the on-prem domain as this is intrinsically known to an on-prem domain joined device. This little bit of additional info is provided by AAD Connect (see How SSO to on-premises resources works on Azure AD joined devices - Microsoft Entra | Microsoft Learn for details).

 

If you have apps that make direct LDAP (or other direct to AD) queries, there's nothing specifically stopping them from being pointed to your on-prem AD. As eldued to above, AADJ does not in any way preclude the use of your on-prem AD or any other directory for that matter. The app simply needs to be able to be pointed to that directory. How each app handles that is an app specific implementation detail that we can't solve specifically and is something you need to engage with the app's vendor on. As noted above, Windows itself is doing this by using a hint provided to it using AAD Connect.

 

> So overall, though AADJ makes sense, we consider atleast 3~4 year journey before it could culminate in fully getting away from AD DS. 

You'll get no argument or pushback from us on this. We fully acknowledge that this is not an overnight excercise and that this journey may take "many" years for some customers. But every journey starts with a single step (pick your favorite cliche that says the same thing).

 

As for support and knowledge, note that the author of this post works directly with some of the largest and most strategic Microsoft customers on a daily basis. The team we are on is dedicated to this (we are part of the product group) so we are in general more than just passingly knowledgable. I'm sorry your experience with other resources has not been up to your expectations. I suggest providing that feedback to those teams and using other resources at your disposal including discussing this with your Microsoft account team.

 

Finally, don't conflate moving to AADJ with getting rid of your on-prem AD. They are not the same thing and while that is a longer term aspiration for us, that is a follow-on step to moving to AADJ and not part of moving to AADJ.