Event details
Good Morning,
I have watched the webinar a couple of times between yesterday and today.
I spent a better part of 90 days trying to convince a client to purchase the Entra ID Suite.
One item of note if you’re interested in purchasing the full Entra ID Suite is that if you’re a M365 E5 customer you may be eligible for step up pricing to Entra ID Suite.
We were able to get the cost per user down to $7.50 per user per month which is much more palatable than the MSRP cost.
Thought I’d share that bit of information. Not sure if that pricing is still available or not but it was for us.
I did have a question.
Ru mentioned that something about going Entra ID joined as opposed to hybrid joined. I have had back to back clients that just when Hybrid joined because they had Active Directory and were essentially scared to go cloud only.
I expressed to them that this just wasn’t true and Entra ID Suite could help them bridge this gap in instances where there might be an on-premise dependency.
Is there any documentation anywhere about why you must go Hybrid Join as opposed to Entra ID joined? Perhaps a blog that breaks it down in small bite sized increments that stakeholders can understand?
Going Entra only is a hard sell. Can you help me with supporting documentation on how to sell it to my organization?
Best practice and recommendations from MVP's is to go Entra ID joined. Look at the Microsoft Cybersecurity Reference Architecture documentation https://aka.ms/MCRA , all the pages but I focus on pages 59 - 61 the most. Also search for Zero Trust deployment plans. Entra ID Suite is the operations wrapper around all these architecture components. Every activity from an identity has six degrees of separation to these Microsoft tools and components.
Second recommendation: Purchase the Microsoft 365 Copilot license for yourself and use the Research agent - its amazing. Example response:
Microsoft Entra ID Join vs. Hybrid Azure AD Join: Key Differences and Why Cloud-Only Is the Future
Microsoft’s latest guidance is clear: Hybrid Azure AD Join is a temporary bridge, not a long-term solution. The recommended end state for organizations is to move to Microsoft Entra ID Join (formerly Azure AD Join), which is cloud-native, requires no on-premises domain controllers for daily operation, and supports modern Zero Trust security models out of the box. In contrast, Hybrid Joined devices remain dependent on legacy Active Directory infrastructure, introducing complexity and technical debt.
Core Comparison
- Device Identity & Authentication:
- Entra ID Join: Devices are joined only to Entra ID, with cloud-based authentication and no on-premises computer account.
- Hybrid Join: Devices are joined to both on-prem AD and Entra ID, requiring dual identities and defaulting to on-prem authentication.
- Infrastructure Dependence:
- Entra ID Join: No domain controller needed for login or policy; works over the internet.
- Hybrid Join: Requires connectivity to on-prem AD for authentication, often needing VPN for remote users.
- Access to On-Prem Resources:
- Both models support access, but Entra ID Join uses user SSO with some prerequisites. Hybrid Join offers full native access but retains legacy dependencies.
- Management & Policy:
- Entra ID Join: Managed via Intune/MDM, supporting modern provisioning and policy enforcement.
- Hybrid Join: Supports both Group Policy and Intune, but with added complexity and potential policy conflicts.
- Provisioning & User Experience:
- Entra ID Join: Optimized for remote and modern deployment (e.g., Windows Autopilot), enabling users to log in from anywhere.
- Hybrid Join: Maintains traditional domain join processes, which can slow down remote onboarding.
- Security:
- Entra ID Join: Aligns with Zero Trust, reduces legacy attack surfaces, and leverages modern security controls.
- Hybrid Join: Inherits on-prem AD security risks and makes full Zero Trust harder to achieve.
- Administrative Overhead:
- Entra ID Join: Simplifies IT operations by removing the need for on-prem AD maintenance.
- Hybrid Join: Requires managing both environments, increasing complexity and technical debt.
- Long-Term Strategy:
- Entra ID Join: Future-proof, scalable, and receives new features first.
- Hybrid Join: Intended only as a stop-gap during migration to cloud-only identity.
Addressing Common Concerns
- On-prem apps and file shares:
Entra ID–joined devices can still access most on-prem resources if user identities are synced and network connectivity is available. Only rare legacy cases require a computer’s AD account. - Group Policy reliance:
Intune and MDM solutions now cover most policy needs, and Microsoft recommends using Hybrid Join only if legacy GPOs are truly required—while working to modernize policies. - Security:
Entra ID Join is generally more secure, reducing attack surfaces and aligning with modern frameworks like Zero Trust. Hybrid Join retains legacy risks. - Migration approach:
A phased migration is best: enable Hybrid Join for existing devices, but make all new devices Entra ID–joined. Over time, retire on-prem AD as blockers are addressed. - Legacy systems:
For rare cases where legacy systems require AD, keep only those specific devices on-prem or use services like Azure AD Domain Services. Most users benefit from the simplicity and security of cloud join.
Bottom Line
Microsoft Entra ID Join is the strategic choice for organizations aiming to modernize, reduce complexity, and strengthen security. Hybrid Join is a valuable bridge, but not the destination. The sooner organizations embrace cloud-native identity, the more agile and secure their IT environment will be.
- Device Identity & Authentication:
- undefined
