Aug 01 2019 04:00 PM
Aug 01 2019 04:00 PM
Bare with me as I'm new to Azure, AWS and O365 services.
We work with an MSP that set up our infrastructure and from everything I can tell, we have what would be considered Hybrid. Unfortunately, due to the partnership with the MSP, I have very limited visibility into everything but here's what I can surmise based on what I see in Active Directory.
We're running AWS Directory Services for Microsoft AD. I see a dozen or so AWS Delegated [groupnamehere] Groups in AD. Additionally, I see that our DNS servers are DCs in AWS.
Our domain name is "corp.companyname.loc"
When I do any AD admin work, I log into what I can only assume is a management instance of AD, installed on a completely different VM in AWS.
We have an ADFS server that appears to be authenticating users into O365.
We do not have any physical servers in any offices.
I have questions about how authentication can (should?) work and how I can better leverage Azure AD and Intune in my environment. We have Azure AD P1 licensing as well as Microsoft Intune. Here are some of the concerns I've been seeing as the company grows:
Some of the early machines were not truly joined to the domain. For one thing, I've connected with a few of these users and they are still set up in the default WORKGROUP. I believe the users were provided an O365 account with e-mail and used the pre-installed versions of Office (Surface Pros). Most of these early users' AD accounts have passwords that have expired sometimes up to 6 months ago but the user is still able to send/receive e-mail, login to SharePoint and do most everything they need. Its only when they start to do some additional work like download files that they get vague error messages about account issues. That's when I get a call or an e-mail and have to start looking at the machine's configuration.
If this is considered Hybrid, shouldn't we see machines in Azure AD or the Intune device as, Hybrid Azure AD Joined? When I dove into the Azure AD Connector, I found that the computers OU was not being synced. I quickly found that the AAD Connector software needed an update to utilize the Hybrid AAD Join feature. However, after running the software I ran into a hitch.
The connector requires an Enterprise Admin account. I believe I just need to add myself or another account into the AWS Delegated Administrators group but need to research this further.
The Azure AD connector requires configuration of an SCP connector. In the Authentication Service drop-down, I see two options. One shows "sts.companyname.com" the second option says Azure Active Directory. I can only assume I should select the sts.companyname.com but I'm not sure of the effect this might have versus selecting AAD.
The reason I'm looking to start syncing my machines into Azure AD is because I get the sense I'm not able to do a lot of things with Intune that I otherwise should be able to. I also think there are some configuration issues given the state of our AWS/O365/Intune deployment. For one thing, Intune enrollments are done on a per-user basis.
I think these machines should automatically enroll into Intune once it is joined to the domain. I don't think it makes sense that I'm enrolling these users as they log into the machine or as they are provisioned (config machine, join domain, login as admin, enroll user under Access School or Work, enter new employee's account info) but still, this is on a per-user basis. As I type this out, I suppose it makes sense as the Intune license is assigned to a user, and not just based on machine.
Can anyone shed some light on how I should be getting my domain-joined machines enrolled into Intune in a better way?
Would Azure AD facilitate the above?
Is there going to be a problem if I do use AAD Connector to synchronize computers into AAD and they already exist there? Will this cause duplicates of all of my machines?
We're slowly weaning off of support by the MSP as the industry requires more internal control of all of the data the company touches.
That was a long one. Thanks for reading.
Aug 10 2019 12:32 AM
Aug 12 2019 10:46 AM - edited Aug 12 2019 10:48 AM
Hey @Joe Carlyle,
I appreciate your reply. Seems the length of my post may have scared off a lot of people. Machines are definitely domain joined and it is federated. We definitely have this set up -- https://aws.amazon.com/blogs/security/how-to-enable-your-users-to-access-office-365-with-aws-microso...
I have noticed that a majority of machines in the org prior to my employment are in some kind of strange limbo where they were Azure AD Joined but not domain joined which caused for some great head scratchers. Those users could log into their machines, could use e-mail just fine but domain password policies were not applying to them. In some cases, these users would have passwords that had long expired (8-10 months or longer) but everything still worked fine. It wasn't until they tried accessing a newer SharePoint site or some resource that they were being prompted to reset their credentials which brought its own set of problems.
At any rate, since posting this I've discovered that the permissions in AWS' Managed AD solution are limited. In trying to run the Hybrid AAD Configuration, there's a requirement for an Enterprise Administrator account. AWS maintains exclusive rights to the Administrator account and anything to do with enterprise/directory-wide changes.
At this point, we're crossing our fingers that AWS can/will run the configuration with the Administrator account to allow us to set up Hybrid Azure AD Join. Otherwise, we're kind of dead in the water and may need to consider spinning up our own AD and trusting it into the AWS directory if that's even possible.
Aug 15 2019 05:54 AM
That AWS restriction really doesn't help you, but it's common for managed domains.
The more control you need, the more likely it is you will need your own full domain. Have you a large user/device base? Would it be worth redoing the lot now that you are in control and have a clear vision of what you want and how you want to achieve it?
Seems like you've inherited two half completed projects!
Aug 15 2019 07:09 AM
Seems like you've inherited two half completed projects!
It certainly feels that way! In their defense, a lot of these decisions were made on the fly to get things up and running. I don't think there was any thought about what the ramifications would be going down the managed AD route.
We don't have a lot of devices as we're currently just shy of about 100 users. Some of these users have two devices (a laptop or Surface and a phone). We have maybe 140 devices currently registered into Azure AD. Quite honestly, it wouldn't be a huge deal especially given the benefits that come with having device hybrid azure AD joined. One of the biggest being the automatic enrollment of our endpoints which is an incredibly cumbersome and manual process.
Jan 25 2021 11:35 AM
@symm_adrian, Did you get any definitive answer from AWS, we are in the same scenario as you, we have AWS directory services and we need to enable Hybrid join.
Jan 25 2021 11:43 AM
Hey @luissoto, I'm not sure what you're trying to accomplish but we managed to set up Hybrid AAD but with everything I read after this post, you should really try to just go straight to Azure AD joining. All of the group policy concerns I had can supposedly be configured via Azure AD configurations so I don't think there's an issue doing everything in Azure/Azure AD.
There are some challenges in trying to use AWS' Microsoft Managed AD as your administrative rights are restricted and they don't give access to the main Admin account to keep management of the service to a minimum. That was basically the reply I got from AWS.
Jan 25 2021 11:50 AM - edited Jan 25 2021 11:51 AM
Jan 25 2021 11:54 AM
@luissoto Ah, yeah. Unfortunately, AWS will not provide credentials for the EA account as it is a managed service. There were some other walls we ran up against like enabling logging for auditing that they wouldn't enable either. Pros and cons to a managed AD solution, as it were.
I'm not familiar with CMG but we did get Autopilot working in our environment. Its been a bit of a challenge, though as they don't support Autopilot configurations over VPN and with all of the work from home going on, we don't have people in office provisioning those machines.
Jan 25 2021 12:01 PM