Hybrid Azure AD join computer procedure

%3CLINGO-SUB%20id%3D%22lingo-sub-2093324%22%20slang%3D%22en-US%22%3EHybrid%20Azure%20AD%20join%20computer%20procedure%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2093324%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3C%2FP%3E%3CP%3EWe%20have%20configured%20AADC%20to%20sync%20on-prem%20AD%20object%20%2F%20password%20hash%20to%20O365%20with%20ADFS%20for%20federation%20and%20access%20control.%3C%2FP%3E%3CP%3EWe%20are%20planning%20to%20change%20our%20O365%20from%20federated%20domain%20to%20managed%20domain%2C%20so%20we%20can%20dismiss%20the%20ADFS.%3CBR%20%2F%3EIt%20will%20involve%20Hybrid%20Azure%20AD%20join%20our%20domain%20computers%2C%20setup%20Azure%20AD%20conditional%20access%20and%20then%20dismiss%20the%20ADFS%2C%20while%20keeping%20AADC%20to%20sync%20on-prem%20AD%20object%20%2F%20password%20hash%20to%20O365.%3C%2FP%3E%3CP%3EOriginal%20plan%3A%3C%2FP%3E%3COL%3E%3CLI%3E%3CP%3ESetup%20AAD%20hybrid%20join%20with%20federation%20domain.%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3EWindows%2010%20computer%20will%20auto%20AAD%20hybrid%20join.%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3ESetup%20Conditional%20Access%20rules.%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3EChange%20federation%20domain%20to%20managed%20domain.%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3EChange%20AAD%20hybrid%20join%20to%20managed%20domain.%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3EDismiss%20ADFS.%3C%2FP%3E%3C%2FLI%3E%3C%2FOL%3E%3CP%3EAccording%20to%20Microsoft%20documents%3A%20%22Beginning%20with%20Windows%2010%201803%2C%20if%20the%20instantaneous%20hybrid%20Azure%20AD%20join%20for%20a%20federated%20environment%20by%20using%20AD%20FS%20fails%2C%20we%20rely%20on%20Azure%20AD%20Connect%20to%20sync%20the%20computer%20object%20in%20Azure%20AD%20that's%20subsequently%20used%20to%20complete%20the%20device%20registration%20for%20hybrid%20Azure%20AD%20join.%22%3C%2FP%3E%3CP%3ESo%20I%20am%20thinking%20a%20new%20plan%20to%20simplify%20the%20steps%3A%3C%2FP%3E%3COL%3E%3CLI%3E%3CP%3EAADC%20sync%20WIndows%2010%20computer%20to%20AAD%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3ESetup%20SCP%20GPO%20to%20publish%20SCP%20to%20Windows%2010%20computers.%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3EWindows%2010%20auto%20do%20the%20AAD%20hybrid%20join.%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3ESetup%20Conditional%20Access%20rule.%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3EChange%20federation%20domain%20to%20managed%20domain.%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3EDismiss%20ADFS.%3C%2FP%3E%3C%2FLI%3E%3C%2FOL%3E%3CP%3EWill%20this%20migration%20step%20work%3F%3C%2FP%3E%3CP%3EThanks%2C%3CBR%20%2F%3ERoy%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2093324%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
New Contributor

Hi All,

We have configured AADC to sync on-prem AD object / password hash to O365 with ADFS for federation and access control.

We are planning to change our O365 from federated domain to managed domain, so we can dismiss the ADFS.
It will involve Hybrid Azure AD join our domain computers, setup Azure AD conditional access and then dismiss the ADFS, while keeping AADC to sync on-prem AD object / password hash to O365.

Original plan:

  1. Setup AAD hybrid join with federation domain.

  2. Windows 10 computer will auto AAD hybrid join.

  3. Setup Conditional Access rules.

  4. Change federation domain to managed domain.

  5. Change AAD hybrid join to managed domain.

  6. Dismiss ADFS.

According to Microsoft documents: "Beginning with Windows 10 1803, if the instantaneous hybrid Azure AD join for a federated environment by using AD FS fails, we rely on Azure AD Connect to sync the computer object in Azure AD that's subsequently used to complete the device registration for hybrid Azure AD join."

So I am thinking a new plan to simplify the steps:

  1. AADC sync WIndows 10 computer to AAD

  2. Setup SCP GPO to publish SCP to Windows 10 computers.

  3. Windows 10 auto do the AAD hybrid join.

  4. Setup Conditional Access rule.

  5. Change federation domain to managed domain.

  6. Dismiss ADFS.

Will this migration step work?

Thanks,
Roy

0 Replies