Forum Discussion

xxxxx1155's avatar
xxxxx1155
Copper Contributor
May 25, 2021

Convert Azure Registered AD Registered To Azure AD Joined

Hi,

 

Currently I'm in the process of configuring Azure / Intune for user and device management. I've been comparing the different models and it seems to be between Hybrid AD Joined and Azure AD Joined.

 

I've looked at the documentation from Microsoft and the Azure AD Joined option seems to be the best for our organization based on scenarios because we don't fit into any of the hybrid's bullet points (see below).

 

Currently in Azure Active Directory > Devices the majority of devices display as Azure AD Registered and this is not the best solution for our organization.

 

Due to covid our workforce has become remote and it's unlikely that the majority will return to the office. 

 

Devices are currently domain joined because we've been using an on-premise Active Directory. We also use Azure AD Connect to sync AD user objects with M365.

 

Is there a way to convert / migrate devices from Azure AD Registered to Azure AD Joined? 

 

From my research the recommended solution is to retrieve the devices, reset them, and then set them up using Windows Auto Pilot. Can anyone else validate this or offer up different solutions? 

If there are different solutions to target remote workers so we can start managing their machines through Intune please let me know.

 

I've attached images that show the scenarios on why to use hybrid vs azure ad joined.

  • Seshadrr's avatar
    Seshadrr
    Iron Contributor

    Decide depends on the requirement and who gets to manage the device and what type of user id is used to authenticate.

    Hybrid Azure AD Joined is for:
    corporate owned and managed devices
    Authenticated using a corporate user id that exists at local AD & on AAD.
    Authentication can be done using both: On-Prem AD & Azure AD.

    Azure AD Joined is for
    Corporate owned and managed devices
    Authenticated using a corporate id that exists on Azure AD
    Authentication is only through AAD.

    AAD Registed Device is for
    Personally owned corporate enabled
    Authentication to the device is with a local id or personal cloud id
    Authentication to corporate resources using a user id on AAD.

     

    Consider Azure AD Registered to Azure AD Joined:-

    1) Assess your device management
          a) Management platform - If you are using Group Policies, evaluate your GPO and MDM policy parity by using Group Policy analytics in Microsoft Endpoint Manager.
    https://docs.microsoft.com/en-us/mem/intune/configuration/group-policy-analytics
               b) Device management for Azure AD joined devices is based on an MDM platform such as Intune, and MDM CSPs. Windows 10 has a built-in MDM agent that works with all compatible MDM solutions.
    2) Recommending to migrating applications from on-premises to cloud for a better user experience and access control.
          a) Cloud-based applications
          b) On-premises web applications
          c) On-premises applications relying on legacy protocols
          d) On-premises network shares
          e) Printers, On-premises applications relying on machine authentication, RDS
    3) provisioning options
         a) Self-service in OOBE/Settings
         b) Windows Autopilot
         c) Bulk enrollment
    4) Configure your device settings
        a) Selected Method of Users may join devices to Azure AD
        b) None- Additional local administrators on Azure AD joined devices
        c) Require multi-factor authentication (MFA) to join devices
        4) Customize application to Configure your mobility settings
        5) MDM user scope & MDM URLs
    5) Configure enterprise state roaming - If you want to enable state roaming to Azure AD so that users can sync their settings across devices
    6) Configure Conditional Access like named location, Ip based filter or Apps etc

    • xxxxx1155's avatar
      xxxxx1155
      Copper Contributor
      Hi,

      Thanks for your response. I've gone through the Microsoft documentation detailing this but that isn't the best option when your workforce is already deployed and joined to a local domain.

      If there is a local account on the device and your users are logged in I've found you can unjoin the device from local AD and then rejoin device to Azure AD. You'll then be asked to switch accounts and you can log in with your corporate email address.

      Users will be prompted by Windows Hello at this stage and asked to set up and login with a PIN. Once the device is locked they can choose to log in with either Password or PIN.

      You can disable Windows Hello for Business through GP or MDM.

      Microsoft Documentation: https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join

      I'm not sure why this isn't listed as a method/scenario in the documentation but it seems to work just fine. If anyone has any thoughts on why not to unjoin from domain and having user rejoin through Azure AD in Windows Settings please let me know.
      • somaji's avatar
        somaji
        Brass Contributor
        I would recommend you implement a remote control solution; LogMeIn or GoToAssist (or equivalent) and setup a local administrator account; this is necessary to continue to disjoin the workstation from the Windows AD; and again when adding a workstation to Azure AD.

        If you have implemented Group Policies, be aware of conflicts if you plan to use MEM to manage the Workstation Configuration, deploy software through Intune. Anti-virus may be a hurdle you may need to cross as well.

        As a result, we decided to wipe and fresh deploy a one of our projects. Group policies were created and and in play since Windows 2003

Resources