Forum Discussion
symm_adrian
Aug 01, 2019Brass Contributor
Help! AWS Microsoft Directory Services, Azure Active Directory, AAD Connect Hybrid Join and Intune..
Bare with me as I'm new to Azure, AWS and O365 services. We work with an MSP that set up our infrastructure and from everything I can tell, we have what would be considered Hybrid. Unfortunately, du...
Joe Carlyle
Aug 10, 2019Copper Contributor
A lot to unwrap there. Your identity issue would be resolved if the machines were joined to the domain that’s federated. However you could, for simplicity and if it’s not used for anything else, change to ADConnect PTA with SSO. Again client machines need to be domain joined but would save you on AWS infra costs.
On intune, yes you need an SCP endpoint active for hybrid join. I’d make the change above, then set it. One they’re hybrid you can enroll them and have full management. You could go a step further and setup Autopilot for new machines too.
Send me any further questions, this one will take a while!
On intune, yes you need an SCP endpoint active for hybrid join. I’d make the change above, then set it. One they’re hybrid you can enroll them and have full management. You could go a step further and setup Autopilot for new machines too.
Send me any further questions, this one will take a while!
symm_adrian
Aug 12, 2019Brass Contributor
Hey Joe Carlyle,
I appreciate your reply. Seems the length of my post may have scared off a lot of people. Machines are definitely domain joined and it is federated. We definitely have this set up -- https://aws.amazon.com/blogs/security/how-to-enable-your-users-to-access-office-365-with-aws-microsoft-active-directory-credentials/.
I have noticed that a majority of machines in the org prior to my employment are in some kind of strange limbo where they were Azure AD Joined but not domain joined which caused for some great head scratchers. Those users could log into their machines, could use e-mail just fine but domain password policies were not applying to them. In some cases, these users would have passwords that had long expired (8-10 months or longer) but everything still worked fine. It wasn't until they tried accessing a newer SharePoint site or some resource that they were being prompted to reset their credentials which brought its own set of problems.
At any rate, since posting this I've discovered that the permissions in AWS' Managed AD solution are limited. In trying to run the Hybrid AAD Configuration, there's a requirement for an Enterprise Administrator account. AWS maintains exclusive rights to the Administrator account and anything to do with enterprise/directory-wide changes.
At this point, we're crossing our fingers that AWS can/will run the configuration with the Administrator account to allow us to set up Hybrid Azure AD Join. Otherwise, we're kind of dead in the water and may need to consider spinning up our own AD and trusting it into the AWS directory if that's even possible.
- Joe CarlyleAug 15, 2019Copper Contributor
That AWS restriction really doesn't help you, but it's common for managed domains.
The more control you need, the more likely it is you will need your own full domain. Have you a large user/device base? Would it be worth redoing the lot now that you are in control and have a clear vision of what you want and how you want to achieve it?
Seems like you've inherited two half completed projects!- symm_adrianAug 15, 2019Brass Contributor
Seems like you've inherited two half completed projects!
It certainly feels that way! In their defense, a lot of these decisions were made on the fly to get things up and running. I don't think there was any thought about what the ramifications would be going down the managed AD route.
We don't have a lot of devices as we're currently just shy of about 100 users. Some of these users have two devices (a laptop or Surface and a phone). We have maybe 140 devices currently registered into Azure AD. Quite honestly, it wouldn't be a huge deal especially given the benefits that come with having device hybrid azure AD joined. One of the biggest being the automatic enrollment of our endpoints which is an incredibly cumbersome and manual process.
- luissotoJan 25, 2021Copper Contributor
symm_adrian, Did you get any definitive answer from AWS, we are in the same scenario as you, we have AWS directory services and we need to enable Hybrid join.