Help! AWS Microsoft Directory Services, Azure Active Directory, AAD Connect Hybrid Join and Intune..

Brass Contributor

Bare with me as I'm new to Azure, AWS and O365 services.

We work with an MSP that set up our infrastructure and from everything I can tell, we have what would be considered Hybrid. Unfortunately, due to the partnership with the MSP, I have very limited visibility into everything but here's what I can surmise based on what I see in Active Directory.

  1. We're running AWS Directory Services for Microsoft AD. I see a dozen or so AWS Delegated [groupnamehere] Groups in AD. Additionally, I see that our DNS servers are DCs in AWS.

  2. Our domain name is "corp.companyname.loc"

  3. When I do any AD admin work, I log into what I can only assume is a management instance of AD, installed on a completely different VM in AWS.

  4. We have an ADFS server that appears to be authenticating users into O365.

  5. We do not have any physical servers in any offices.

I have questions about how authentication can (should?) work and how I can better leverage Azure AD and Intune in my environment. We have Azure AD P1 licensing as well as Microsoft Intune. Here are some of the concerns I've been seeing as the company grows:

  • Some of the early machines were not truly joined to the domain. For one thing, I've connected with a few of these users and they are still set up in the default WORKGROUP. I believe the users were provided an O365 account with e-mail and used the pre-installed versions of Office (Surface Pros). Most of these early users' AD accounts have passwords that have expired sometimes up to 6 months ago but the user is still able to send/receive e-mail, login to SharePoint and do most everything they need. Its only when they start to do some additional work like download files that they get vague error messages about account issues. That's when I get a call or an e-mail and have to start looking at the machine's configuration.

  • If this is considered Hybrid, shouldn't we see machines in Azure AD or the Intune device as, Hybrid Azure AD Joined? When I dove into the Azure AD Connector, I found that the computers OU was not being synced. I quickly found that the AAD Connector software needed an update to utilize the Hybrid AAD Join feature. However, after running the software I ran into a hitch.

    • The connector requires an Enterprise Admin account. I believe I just need to add myself or another account into the AWS Delegated Administrators group but need to research this further.

    • The Azure AD connector requires configuration of an SCP connector. In the Authentication Service drop-down, I see two options. One shows "sts.companyname.com" the second option says Azure Active Directory. I can only assume I should select the sts.companyname.com but I'm not sure of the effect this might have versus selecting AAD.

The reason I'm looking to start syncing my machines into Azure AD is because I get the sense I'm not able to do a lot of things with Intune that I otherwise should be able to. I also think there are some configuration issues given the state of our AWS/O365/Intune deployment. For one thing, Intune enrollments are done on a per-user basis.

I think these machines should automatically enroll into Intune once it is joined to the domain. I don't think it makes sense that I'm enrolling these users as they log into the machine or as they are provisioned (config machine, join domain, login as admin, enroll user under Access School or Work, enter new employee's account info) but still, this is on a per-user basis. As I type this out, I suppose it makes sense as the Intune license is assigned to a user, and not just based on machine.

  1. Can anyone shed some light on how I should be getting my domain-joined machines enrolled into Intune in a better way?

  2. Would Azure AD facilitate the above?

  3. Is there going to be a problem if I do use AAD Connector to synchronize computers into AAD and they already exist there? Will this cause duplicates of all of my machines?

We're slowly weaning off of support by the MSP as the industry requires more internal control of all of the data the company touches.

That was a long one. Thanks for reading.

10 Replies
A lot to unwrap there. Your identity issue would be resolved if the machines were joined to the domain that’s federated. However you could, for simplicity and if it’s not used for anything else, change to ADConnect PTA with SSO. Again client machines need to be domain joined but would save you on AWS infra costs.

On intune, yes you need an SCP endpoint active for hybrid join. I’d make the change above, then set it. One they’re hybrid you can enroll them and have full management. You could go a step further and setup Autopilot for new machines too.

Send me any further questions, this one will take a while!

Hey @Joe Carlyle

 

I appreciate your reply. Seems the length of my post may have scared off a lot of people. Machines are definitely domain joined and it is federated. We definitely have this set up -- https://aws.amazon.com/blogs/security/how-to-enable-your-users-to-access-office-365-with-aws-microso...

I have noticed that a majority of machines in the org prior to my employment are in some kind of strange limbo where they were Azure AD Joined but not domain joined which caused for some great head scratchers. Those users could log into their machines, could use e-mail just fine but domain password policies were not applying to them. In some cases, these users would have passwords that had long expired (8-10 months or longer) but everything still worked fine. It wasn't until they tried accessing a newer SharePoint site or some resource that they were being prompted to reset their credentials which brought its own set of problems. 

 

At any rate, since posting this I've discovered that the permissions in AWS' Managed AD solution are limited. In trying to run the Hybrid AAD Configuration, there's a requirement for an Enterprise Administrator account. AWS maintains exclusive rights to the Administrator account and anything to do with enterprise/directory-wide changes.

 

At this point, we're crossing our fingers that AWS can/will run the configuration with the Administrator account to allow us to set up Hybrid Azure AD Join. Otherwise, we're kind of dead in the water and may need to consider spinning up our own AD and trusting it into the AWS directory if that's even possible.

@symm_adrian 

 

That AWS restriction really doesn't help you, but it's common for managed domains. 

 

The more control you need, the more likely it is you will need your own full domain. Have you a large user/device base? Would it be worth redoing the lot now that you are in control and have a clear vision of what you want and how you want to achieve it? 


Seems like you've inherited two half completed projects!

@Joe Carlyle 

Seems like you've inherited two half completed projects!


It certainly feels that way! In their defense, a lot of these decisions were made on the fly to get things up and running. I don't think there was any thought about what the ramifications would be going down the managed AD route.

 

We don't have a lot of devices as we're currently just shy of about 100 users. Some of these users have two devices (a laptop or Surface and a phone). We have maybe 140 devices currently registered into Azure AD. Quite honestly, it wouldn't be a huge deal especially given the benefits that come with having device hybrid azure AD joined. One of the biggest being the automatic enrollment of our endpoints which is an incredibly cumbersome and manual process. 

@symm_adrian, Did you get any definitive answer from AWS, we are in the same scenario as you, we have AWS directory services and we need to enable Hybrid join.

Hey @luissoto, I'm not sure what you're trying to accomplish but we managed to set up Hybrid AAD but with everything I read after this post, you should really try to just go straight to Azure AD joining. All of the group policy concerns I had can supposedly be configured via Azure AD configurations so I don't think there's an issue doing everything in Azure/Azure AD.

 

There are some challenges in trying to use AWS' Microsoft Managed AD as your administrative rights are restricted and they don't give access to the main Admin account to keep management of the service to a minimum. That was basically the reply I got from AWS.

Thank you for your reply.
We are trying to setup Co-management and autopilot for our company, but I also encounter the same issue as you when trying to configure Azure Hybrid join with AWS managed AD, we need "Enterprise admin" permissions but i was hoping that someone have found a workaround to this issue.
I am guessing I will need to stick to just having a CMG (Cloud Management Gateway ).

@luissoto Ah, yeah. Unfortunately, AWS will not provide credentials for the EA account as it is a managed service. There were some other walls we ran up against like enabling logging for auditing that they wouldn't enable either. Pros and cons to a managed AD solution, as it were.

 

I'm not familiar with CMG but we did get Autopilot working in our environment. Its been a bit of a challenge, though as they don't support Autopilot configurations over VPN and with all of the work from home going on, we don't have people in office provisioning those machines.

 

Good luck!

Just out of curiosity, can you point me to the documentation that you used to setup autopilot in your environment.

thank you for your help

@symm_adrian Have you figured out this issue. 

 

My organization has same setup as you have described running the same exact config as well. 

I am not able to authenticate my AAD connector as it requires EA password which obivosuly we do no that and AWS denied to share the same. 

 

I am looking a way forward on this since we are not able to implement intune properly. 

 

Further, to add on, we have a user base around 800 to spinning up new on-prem Infra is out of scope here. 

 

Any help would be appreciated.