Forum Discussion
symm_adrian
Aug 01, 2019Brass Contributor
Help! AWS Microsoft Directory Services, Azure Active Directory, AAD Connect Hybrid Join and Intune..
Bare with me as I'm new to Azure, AWS and O365 services.
We work with an MSP that set up our infrastructure and from everything I can tell, we have what would be considered Hybrid. Unfortunately, due to the partnership with the MSP, I have very limited visibility into everything but here's what I can surmise based on what I see in Active Directory.
We're running AWS Directory Services for Microsoft AD. I see a dozen or so AWS Delegated [groupnamehere] Groups in AD. Additionally, I see that our DNS servers are DCs in AWS.
Our domain name is "corp.companyname.loc"
When I do any AD admin work, I log into what I can only assume is a management instance of AD, installed on a completely different VM in AWS.
We have an ADFS server that appears to be authenticating users into O365.
We do not have any physical servers in any offices.
I have questions about how authentication can (should?) work and how I can better leverage Azure AD and Intune in my environment. We have Azure AD P1 licensing as well as Microsoft Intune. Here are some of the concerns I've been seeing as the company grows:
Some of the early machines were not truly joined to the domain. For one thing, I've connected with a few of these users and they are still set up in the default WORKGROUP. I believe the users were provided an O365 account with e-mail and used the pre-installed versions of Office (Surface Pros). Most of these early users' AD accounts have passwords that have expired sometimes up to 6 months ago but the user is still able to send/receive e-mail, login to SharePoint and do most everything they need. Its only when they start to do some additional work like download files that they get vague error messages about account issues. That's when I get a call or an e-mail and have to start looking at the machine's configuration.
If this is considered Hybrid, shouldn't we see machines in Azure AD or the Intune device as, Hybrid Azure AD Joined? When I dove into the Azure AD Connector, I found that the computers OU was not being synced. I quickly found that the AAD Connector software needed an update to utilize the Hybrid AAD Join feature. However, after running the software I ran into a hitch.
The connector requires an Enterprise Admin account. I believe I just need to add myself or another account into the AWS Delegated Administrators group but need to research this further.
The Azure AD connector requires configuration of an SCP connector. In the Authentication Service drop-down, I see two options. One shows "sts.companyname.com" the second option says Azure Active Directory. I can only assume I should select the sts.companyname.com but I'm not sure of the effect this might have versus selecting AAD.
The reason I'm looking to start syncing my machines into Azure AD is because I get the sense I'm not able to do a lot of things with Intune that I otherwise should be able to. I also think there are some configuration issues given the state of our AWS/O365/Intune deployment. For one thing, Intune enrollments are done on a per-user basis.
I think these machines should automatically enroll into Intune once it is joined to the domain. I don't think it makes sense that I'm enrolling these users as they log into the machine or as they are provisioned (config machine, join domain, login as admin, enroll user under Access School or Work, enter new employee's account info) but still, this is on a per-user basis. As I type this out, I suppose it makes sense as the Intune license is assigned to a user, and not just based on machine.
Can anyone shed some light on how I should be getting my domain-joined machines enrolled into Intune in a better way?
Would Azure AD facilitate the above?
Is there going to be a problem if I do use AAD Connector to synchronize computers into AAD and they already exist there? Will this cause duplicates of all of my machines?
We're slowly weaning off of support by the MSP as the industry requires more internal control of all of the data the company touches.
That was a long one. Thanks for reading.
- Alex_ujjuCopper Contributor
symm_adrian Have you figured out this issue.
My organization has same setup as you have described running the same exact config as well.
I am not able to authenticate my AAD connector as it requires EA password which obivosuly we do no that and AWS denied to share the same.
I am looking a way forward on this since we are not able to implement intune properly.
Further, to add on, we have a user base around 800 to spinning up new on-prem Infra is out of scope here.
Any help would be appreciated.
- Joe CarlyleCopper ContributorA lot to unwrap there. Your identity issue would be resolved if the machines were joined to the domain that’s federated. However you could, for simplicity and if it’s not used for anything else, change to ADConnect PTA with SSO. Again client machines need to be domain joined but would save you on AWS infra costs.
On intune, yes you need an SCP endpoint active for hybrid join. I’d make the change above, then set it. One they’re hybrid you can enroll them and have full management. You could go a step further and setup Autopilot for new machines too.
Send me any further questions, this one will take a while!- symm_adrianBrass Contributor
Hey Joe Carlyle,
I appreciate your reply. Seems the length of my post may have scared off a lot of people. Machines are definitely domain joined and it is federated. We definitely have this set up -- https://aws.amazon.com/blogs/security/how-to-enable-your-users-to-access-office-365-with-aws-microsoft-active-directory-credentials/.
I have noticed that a majority of machines in the org prior to my employment are in some kind of strange limbo where they were Azure AD Joined but not domain joined which caused for some great head scratchers. Those users could log into their machines, could use e-mail just fine but domain password policies were not applying to them. In some cases, these users would have passwords that had long expired (8-10 months or longer) but everything still worked fine. It wasn't until they tried accessing a newer SharePoint site or some resource that they were being prompted to reset their credentials which brought its own set of problems.
At any rate, since posting this I've discovered that the permissions in AWS' Managed AD solution are limited. In trying to run the Hybrid AAD Configuration, there's a requirement for an Enterprise Administrator account. AWS maintains exclusive rights to the Administrator account and anything to do with enterprise/directory-wide changes.
At this point, we're crossing our fingers that AWS can/will run the configuration with the Administrator account to allow us to set up Hybrid Azure AD Join. Otherwise, we're kind of dead in the water and may need to consider spinning up our own AD and trusting it into the AWS directory if that's even possible.
- Joe CarlyleCopper Contributor
That AWS restriction really doesn't help you, but it's common for managed domains.
The more control you need, the more likely it is you will need your own full domain. Have you a large user/device base? Would it be worth redoing the lot now that you are in control and have a clear vision of what you want and how you want to achieve it?
Seems like you've inherited two half completed projects!