Bare with me as I'm new to Azure, AWS and O365 services.
We work with an MSP that set up our infrastructure and from everything I can tell, we have what would be considered Hybrid. Unfortunately, due to the partnership with the MSP, I have very limited visibility into everything but here's what I can surmise based on what I see in Active Directory.
We're running AWS Directory Services for Microsoft AD. I see a dozen or so AWS Delegated [groupnamehere] Groups in AD. Additionally, I see that our DNS servers are DCs in AWS.
Our domain name is "corp.companyname.loc"
When I do any AD admin work, I log into what I can only assume is a management instance of AD, installed on a completely different VM in AWS.
We have an ADFS server that appears to be authenticating users into O365.
We do not have any physical servers in any offices.
I have questions about how authentication can (should?) work and how I can better leverage Azure AD and Intune in my environment. We have Azure AD P1 licensing as well as Microsoft Intune. Here are some of the concerns I've been seeing as the company grows:
Some of the early machines were not truly joined to the domain. For one thing, I've connected with a few of these users and they are still set up in the default WORKGROUP. I believe the users were provided an O365 account with e-mail and used the pre-installed versions of Office (Surface Pros). Most of these early users' AD accounts have passwords that have expired sometimes up to 6 months ago but the user is still able to send/receive e-mail, login to SharePoint and do most everything they need. Its only when they start to do some additional work like download files that they get vague error messages about account issues. That's when I get a call or an e-mail and have to start looking at the machine's configuration.
If this is considered Hybrid, shouldn't we see machines in Azure AD or the Intune device as, Hybrid Azure AD Joined? When I dove into the Azure AD Connector, I found that the computers OU was not being synced. I quickly found that the AAD Connector software needed an update to utilize the Hybrid AAD Join feature. However, after running the software I ran into a hitch.
The connector requires an Enterprise Admin account. I believe I just need to add myself or another account into the AWS Delegated Administrators group but need to research this further.
The Azure AD connector requires configuration of an SCP connector. In the Authentication Service drop-down, I see two options. One shows "sts.companyname.com" the second option says Azure Active Directory. I can only assume I should select the sts.companyname.com but I'm not sure of the effect this might have versus selecting AAD.
The reason I'm looking to start syncing my machines into Azure AD is because I get the sense I'm not able to do a lot of things with Intune that I otherwise should be able to. I also think there are some configuration issues given the state of our AWS/O365/Intune deployment. For one thing, Intune enrollments are done on a per-user basis.
I think these machines should automatically enroll into Intune once it is joined to the domain. I don't think it makes sense that I'm enrolling these users as they log into the machine or as they are provisioned (config machine, join domain, login as admin, enroll user under Access School or Work, enter new employee's account info) but still, this is on a per-user basis. As I type this out, I suppose it makes sense as the Intune license is assigned to a user, and not just based on machine.
Can anyone shed some light on how I should be getting my domain-joined machines enrolled into Intune in a better way?
Would Azure AD facilitate the above?
Is there going to be a problem if I do use AAD Connector to synchronize computers into AAD and they already exist there? Will this cause duplicates of all of my machines?
We're slowly weaning off of support by the MSP as the industry requires more internal control of all of the data the company touches.
That was a long one. Thanks for reading.
