Our situation is the following: We have our users in Azure Active Directory. We have a Azure AD Premium subscription and are using all the cool stuff like MFA to secure everything & dynamic groups to get users to the right resources in an automated way. We also have a few legacy line of business apps that run in an on premises domain. I would like to make a secure, MFA protected connection to our local domain to give our users single sign on into the local domain.
Now I thought that this exercise would always start with setting up a sync between Azure Active Directory and the local AD via AD Connect. Two problems:
1. AD Connect does not seem to work on Server 2019? It has to do with a SQL 2012 instance for the tool? Is that correct? I can hardly believe that?
2. After we ran AD Connect on Server 2016, the users 'source' in AAD changed to the Windows Server AD, clearing all info in AAD (and thus dynamically removing everybody from all groups). Furthermore I can't edit those properties any longer in AAD.
Question 1: Is there another way to achieve what I would like to do? Another solutions I looked into is Parallels RAS but I don't know if you still need an AD Connect with that solution.
Question 2: If I really need AD Connect, is there a way to keep the 'authority' in the hybrid scenario in Azure Active directory? So I can create users in M365, use all cool features of AAD etc etc? I know that Windows Virtual Desktop is on it's way but you still need an AD connect between your domain were the hostpools are and your AAD in that scenario.
Remark: I'm the cloud guy and I know nothing about on premises server configuration so some of my questions are 'basic'. As a newbee I'm truly amazed that a 'common' scenario like that is still so difficult anno 2019.
Thank you. My first impression was that hybrid Azure AD join was all about devices and that it therefore was not solving my 'user identity' related issues. But now that I have thought about it, If you can 'only' do a device sync and leave the users untouched (and therefore managed in AAD) it could totally work. I'm going to read into it and try it out. Thank you.
Settings Azure Hybrid Join up it appaers so that devices are only synced from AD tot Azure AD. Or is it possible to have it the other way around also. So if I join a device in Azure AD via Autopilot for example and have that device synced to local AD.
I immediately tried the device writeback option in AD Connect and that synchronises devices from Azure AD to AD but they and up in a container in AD and then what? As far as we can see, you can't get SSO from that scenario nor can you do anything with thos devices...