Forum Discussion

samppp's avatar
samppp
Copper Contributor
Oct 31, 2022

Convert from Azure Registered to Hybrid AD Join with ADFS

Dear all,

 

In my environment, I am using an ADFS on Windows server 2019.

I would like to apply the process to convert Azure Registered computers to Hybrid AD Join states using ADCONNECT server.

 

 

My question is:

Even though I have an ADFS working in my domain, could I use Azure Active Directory as Atuthentication Service instead of my ADFS onprem? (during the process on ADCONNECT to Hybrid AD JOIN computers)

Many thanks

  • Moe_Kinani's avatar
    Moe_Kinani
    Bronze Contributor

    Hi samppp 

     

    i think you’re asking two questions, the first one is converting Azure AD Registered devices to Hybrid Azure AD. The second one is authenticating to Azure AD instead of ADFS farm.

     

    Question 1- You need to use GPO if the devices are joined to the domain. If not joined, you need to manually enroll it. 

    https://cloudbymoe.com/f/enrolling-workstations-to-intune-using-gpo

     

    Question 2- You need to change the setting in your ADConnect to select different Sign in method like Password Sync, Passthrough or Seamless Single Sign On, here is a great post I used back in the day to move away from ADFS. 
    https://www.core.co.uk/blog/blog/replace-adfs-seamless-sign-on?hs_amp=true

     

    Hope this helps!

    Moe

  • KurtBMayer's avatar
    KurtBMayer
    Steel Contributor

    samppp 

     

    Configure Device Writeback in AD Connect and sync the OUs with machines, per Configure hybrid Azure Active Directory join for managed domains.

     

    According to MSFT, such devices will convert from Azure AD Registered to Hybrid Azure AD Joined and in most cases will cleanup the old record. It may take a while for all devices to process, though. See: Plan hybrid Azure Active Directory join - Azure Active Directory.

     

    Regarding Q2 and Moe_Kinani's response, yes changing AD Connect would move away from ADFS, but just be aware it'd change the auth flow of the tenant. You could still use ADFS for other federated Relying Parties if needed, just the Office 365 integration would change over to Azure AD auth.

     

    Please like and mark this thread as answered if it's helpful, thanks!

     

    • samppp's avatar
      samppp
      Copper Contributor

      KurtBMayer 

      Thanks Kurt for your reply, very helpful for me because I am beginner.

       

      My first goal is to convert all of the company's computers to hybrid ADJOINs.


      We also have a future goal to get rid of ADFS, so that's why I'm wondering if instead of choosing our ADFS, I could choose Azure AD as the authentication service:

      Any idea?

      Many thanks for your help again,

       

Resources