Azure AD Connect - configuration questions

%3CLINGO-SUB%20id%3D%22lingo-sub-2857100%22%20slang%3D%22en-US%22%3EAzure%20AD%20Connect%20-%20configuration%20questions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2857100%22%20slang%3D%22en-US%22%3E%3CP%3EIt%20is%20good%20to%20reassess%20your%20approach%20to%20things%20to%20see%20if%20it%20still%20makes%20sense.%20About%20four%20years%20ago%20a%20tech%20coworker%20developed%20our%20standard%20configuration%20for%20Azure%20AD%20Connect.%20At%20that%20time%20we%20were%20not%20using%20Intune%20(if%20it%20was%20even%20around).%20It%20involved%20performing%20an%20express%20installation%20but%20prior%20to%20performing%20the%20initial%20sync%20modifying%20the%20Synchronization%20Service%20Manager%20to%20only%20sync%20specific%20OUs%20to%20Azure%20AD.%20Typically%20these%20OUs%20had%20users%2C%20contacts%2C%20and%20distribution%20lists%20we%20wanted%20to%20use%20in%20Azure%20AD.%20There%20were%20some%20benefits%20to%20this%20approach.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFirst%2C%20in%20Azure%20AD%20you%20only%20saw%20users%2C%20contacts%2C%20and%20groups%20that%20you%20intentionally%20synced%20and%20wanted%20to%20use%20there.%20It%20avoided%20the%20clutter%20of%20default%20groups%20like%20DHCP%20Administrators%2C%20former%20employees%20who%20have%20had%20their%20AD%20DS%20accounts%20disabled%20but%20not%20yet%20deleted%2C%20and%20so%20forth.%20Second%2C%20if%20you%20had%20a%20situation%20where%20you%20no%20longer%20needed%20to%20retain%20a%20former%20employee's%20Azure%20AD%20user%20and%20related%20content%20you%20could%20unassign%20the%20license%20from%20the%20user%20in%20Microsoft%20365%20admin%20center%20and%20then%20in%20AD%20DS%20move%20the%20user%20account%20to%20an%20OU%20not%20synced%20with%20Azure%20AD.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20this%20approach%20still%20a%20good%20approach%3F%20I%20did%20some%20reading%20and%20thinking%20and%20I%20suspect%20it%20is%20not%20in%20certain%20situations.%20I%20suspect%20choosing%20the%20sync%20the%20entire%20AD%20DS%20domain%2C%20or%20at%20least%20including%20the%20OUs%20with%20computer%20objects%2C%20is%20a%20better%20approach.%20First%2C%20this%20assumes%20that%20the%20users%20in%20the%20tenant%20have%20a%20license%20for%20Intune.%20If%20they%20do%20then%20we%20could%20use%20a%20Group%20Policy%20Object%20to%20Hybrid%20Azure%20AD%20join%20the%20devices%20in%20Intune.%20At%20that%20point%20we%20would%20be%20able%20to%20apply%20all%20the%20Mobile%20Device%20Management%20policies%20we%20do%20to%20Azure%20AD%20joined%20Windows%2010%20computers.%20Second%2C%20if%20the%20client%20had%20OSes%20older%20than%20Windows%2010%20Hybrid%20Azure%20AD%20join%20allows%20us%20to%20enroll%20and%20manage%20those%20in%20Intune%20as%20well%2C%20though%20this%20may%20lead%20to%20creating%20additional%20Compliance%20Policies%20and%20Configuration%20Profiles%20as%20they%20are%20broken%20down%20by%20Windows%20OS%20version.%20Though%2C%20if%20the%20user%20has%20a%20Microsoft%20365%20Business%20Premium%20license%20we%20could%20consider%20upgrading%20to%20Windows%2010%20Pro%20and%20from%20there%20the%20edition%20will%20automatically%20change%20to%20Windows%2010%20Business.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOn%20the%20other%20side%2C%20there%20have%20been%20a%20couple%20of%20clients%20where%20we%20setup%20Azure%20AD%20Connect.%20We%20eventually%20got%20to%20a%20place%20where%20we%20could%20retire%20all%20their%20on-premise%20Windows%20Servers%20which%20includes%20AD%20DS%20and%20transition%20to%20a%20pure%20Azure%20AD%20environment.%20Would%20having%20the%20Windows%2010%20computers%20Hybrid%20Azure%20AD%20joined%20complicate%20this%20transition%3F%20We'd%20probably%20use%20a%20third%20party%20tool%20to%20migrate%20the%20Windows%2010%20computer%20and%20Windows%20user%20profile%20from%20AD%20DS%20to%20Azure%20AD%20so%20this%20may%20be%20a%20moot%20point.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAre%20there%20any%20other%20caveats%20or%20issues%3F%20Should%20we%20start%20syncing%20the%20AD%20DS%20computer%20objects%20at%20the%20minimum%20to%20Azure%20AD%20as%20well%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMatthew%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2857100%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMicrosoft%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
New Contributor

It is good to reassess your approach to things to see if it still makes sense. About four years ago a tech coworker developed our standard configuration for Azure AD Connect. At that time we were not using Intune (if it was even around). It involved performing an express installation but prior to performing the initial sync modifying the Synchronization Service Manager to only sync specific OUs to Azure AD. Typically these OUs had users, contacts, and distribution lists we wanted to use in Azure AD. There were some benefits to this approach.

 

First, in Azure AD you only saw users, contacts, and groups that you intentionally synced and wanted to use there. It avoided the clutter of default groups like DHCP Administrators, former employees who have had their AD DS accounts disabled but not yet deleted, and so forth. Second, if you had a situation where you no longer needed to retain a former employee's Azure AD user and related content you could unassign the license from the user in Microsoft 365 admin center and then in AD DS move the user account to an OU not synced with Azure AD.

 

Is this approach still a good approach? I did some reading and thinking and I suspect it is not in certain situations. I suspect choosing the sync the entire AD DS domain, or at least including the OUs with computer objects, is a better approach. First, this assumes that the users in the tenant have a license for Intune. If they do then we could use a Group Policy Object to Hybrid Azure AD join the devices in Intune. At that point we would be able to apply all the Mobile Device Management policies we do to Azure AD joined Windows 10 computers. Second, if the client had OSes older than Windows 10 Hybrid Azure AD join allows us to enroll and manage those in Intune as well, though this may lead to creating additional Compliance Policies and Configuration Profiles as they are broken down by Windows OS version. Though, if the user has a Microsoft 365 Business Premium license we could consider upgrading to Windows 10 Pro and from there the edition will automatically change to Windows 10 Business.

 

On the other side, there have been a couple of clients where we setup Azure AD Connect. We eventually got to a place where we could retire all their on-premise Windows Servers which includes AD DS and transition to a pure Azure AD environment. Would having the Windows 10 computers Hybrid Azure AD joined complicate this transition? We'd probably use a third party tool to migrate the Windows 10 computer and Windows user profile from AD DS to Azure AD so this may be a moot point. 

 

Are there any other caveats or issues? Should we start syncing the AD DS computer objects at the minimum to Azure AD as well?

 

Matthew

1 Reply

@Matthew1940 

In my tenant we only sync the OUs that are necessary to be in Azure. No sense in cluttering it up with useless and pointless objects.

Like you, when an employee is completely off boarded and de-licensed, we move them to an "ex-employee" OU which isn't synced.

There's no known benefit or feature addition by doing differently so why worry about doing something other than what works for you already? Just one less thing you have to worry about and can focus on other things.