Event banner
Jump into modern managed devices with Azure AD Join
Event details
We know many of you want to go modern and unlock capabilities like Windows Autopilot, but you likely need to access some legacy on-premises resources. Is Hybrid Azure AD Join the only route? No, but it is your friend! Learn how to leverage Azure AD Join to access on-premises resources to take full advantage of the modern experience of a “born in the cloud” Azure AD Join device, but still access on-prem resources. Once Azure AD Join from day one, you can take full advantage of Windows Autopilot, reports into Microsoft Intune for Endpoint analytics, or even patching via Windows Autopatch.
This session is part of the Microsoft Technical Takeoff: Windows + Intune. Add it to your calendar, RSVP for event reminders, and post your questions and comments below! This session will also be recorded and available on demand shortly after conclusion of the live event. |
- DaveD-MS-CETSMicrosoftHi everyone, if you've questions during the session feel free to ask them. We've kept the content short and concise, so are here to answer follow up questions.
- Heather_PoulsenCommunity Manager
Welcome to Jump into modern managed devices with Azure AD Join at the Microsoft Technical Takeoff. Let's get started! Have a question? Post it here in the Comments. Subject matter experts will be answering during the session and throughout the week. We're looking forward to the conversation.
- gatewood502Brass ContributorAny advice on devices that are already Azure AD Registered and then an organization starts to do Hybrid Azure Ad Join and the devices never merge in Azure AD?
- DaveD-MS-CETSMicrosoft
Hi Josh, Hybrid AzureAD troubleshooting is an area all of it's own, there are some great resources here to guide you through the HAADJ steps and identify which is causing an issue Troubleshoot hybrid Azure Active Directory-joined devices - Microsoft Entra | Microsoft Learn
- SteveB_SCBrass ContributorCan you please post the links shown in the last slide?
- Marc_LafIron Contributor
Azure AD device identity documentation
https://learn.microsoft.com/en-us/azure/active-directory/devices/
How SSO to on-premises resources works on Azure AD joined devices
https://learn.microsoft.com/en-us/azure/active-directory/devices/azuread-join-sso
Azure AD Connect sync: Configure filtering
Primary Refresh Token (PRT) and Azure AD
https://learn.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token
- Heather_PoulsenCommunity ManagerWorking on it!
- JasonHartmanCopper ContributorCurious what methods people are using to deploy shortcuts/drive maps in this AADJ scenario. There is a website out there on github that will create a powershell script that you push via Intune that creates a scheduled task that maps the drives. Would be nice if there was a shortcut / drive-mapping setting right in Intune to make that easier. How are you all handling this?
- wollewoldemarBrass ContributorSame here, currently we use scheduled task. But it would be nice to have an easy solution....
- ErinDayBrass ContributorWer'e 'handling' it essentially by trying to move everything to sharepoint online. Probably not the answer you are looking for.
Something like this? just upload the admx into intune and define it? https://call4cloud.nl/2021/03/willy-wonka-and-the-drive-letter-factory/
- HeyHey16KSteel ContributorWe looked at this as well but it only allows flat drive mapping (i.e. drive letter A can only point to one file path), so if that's all you need this could work. In our environment we map different drive letters to different paths depending on security group membership, which this doesn't seem to be able to do 😞
- wollewoldemarBrass ContributorOne point regarding Azure AD Connect is, what is about global environment, where clients are across a world. The current architecture support only one Azure AD Connect. Is there some plan to support multiple AD Connects to have less ways until TGT tocken is received?
- KevinMineweaser_MSFTMicrosoft
Hi Viktor,
You are correct that only one AD Connect is supported. As the on prem AD servers continue to always replicate there is only a need for one of them to run AD Connect for the latest updates to be synchronized. If you suspect performance issues the Azure Active Directory Connect Health for Sync can help to diagnose and remediated sync errors. Here's a link for your reference.
https://portal.azure.com/#blade/Microsoft_Azure_ADHybridHealth/AadHealthMenuBlade
Hope this helps,
-Kevin
- Marc_LafIron ContributorOne issue we encountered with AAD Joined and on-prem resources was how AD management tools (ADUC, DNS) required manual specification of the domains or servers to manage and could not use the auto discovery methods like a domain joined could. Also a bigger issue was that an AAD joined device was unable to manage on-prem certificate services successfully. Templates were unaccessable. Are there going to be any improvements in this regard or will we just need to use a hybrid join for these management tasks?
- wollewoldemarBrass ContributorGood topic regarding certs! How can we handle certs for device cert based auth for WiFi ?
- Dom73MicrosoftHi Marc and Viktor, For AAD Joined devices, you can distribute certificates with Intune and NDES. You need to install a connector (NDES connector) on an on-premises server and you'll be able to distribute certificates to devices. There's also an option to create and distribute a wi-fi configuration profile on those devices. Please review below links for more information. https://learn.microsoft.com/en-us/mem/intune/protect/certificate-connectors https://learn.microsoft.com/en-us/mem/intune/configuration/wi-fi-settings-configure
- Anthony9394Copper ContributorWe have process that run as SYSTEM (such as service) that need to access file share. It works for HAADJ because we grant the AD computer access to the share but for AADJ, there is no way to grant access. What would be the "work around"?
- DaveD-MS-CETSMicrosoft
Hi Anthony, apps running on the AADJ joined device can authenticate as users, but must use the implicit UPN or NT4 type syntax with the domain FQDN name as the domain part. E.g user@contoso.corp.com or contoso.corp.com\user.
Apps and resources using Active Directory machine based authentication don't work because the AADJ devices don't have a computer object in AD.
- Heather_PoulsenCommunity Manager
We’ll continue to answer questions here in the chat for the rest of the half hour and we’ll check back throughout the week. For bonus content, make sure to check out our Technical Takeoff Demo Channel!
We’re happy you’re here with us at the Microsoft Technical Takeoff! Whether you are attending one session or many, please take this 2-minute survey and let us know your thoughts on this event.
- Brandon_EmlingerCopper ContributorAre there any plans to be able to manage a server in AAD? Ex: We in the process of migrating our devices to AAD only (even though we have a hybrid AAD environment). How can I secure a file server WITHOUT needing to join the device to the local AD domain? We are using the Azure Active Directory connect for SSO to access the file server shares, but found I need the local domain policies to manage the server. So the workstations are only AAD joined, but the file server is Hybrid AAD joined.
- DaveD-MS-CETSMicrosoft
Hi Brandon,
Windows Admin Center is a browser based tool set that enables you to manage Windows servers with no Azure or cloud dependency. You can install the gateway on a Windows server or domain joined Windows 10, then connect from Edge or Chrome browser. Windows Admin Center Overview | Microsoft Learn