Understanding hybrid Azure AD join and co-management

Great overview article! Thank you!

Is the chart at the bottom missing a row in-between HAADJ and AAD-only? Similar to the HAADJ row, but with Autopilot provisioning?

Following my previous comment: I see the table is for "Recommended" options. In that case I take back my question about HAADJ + Autopilot being missing. I understand that it's a supported/valid option, but not actually recommended.

Thanks again for the article.

Hi @MaxM 

Excited to be doing this! Glad you like it!

In reference to your question, we strongly discourage any customer from building their modern provisioning plan on Hybrid Azure AD Join. At best you’re deferring a problem you’ll still have to solve and won’t necessarily get any easier with time. At worst you’ll end up investing lots of time and effort to try and solve a complex problem and gain very little benefit over the current solution you have today that work well and reliably.

• The HAADJ flow during Autopilot is one we’re seeing customers see issues and lots of unnecessary complexity.
• HAADJ is really intended to uplift a customer’s existing domain join devices.
• AAD is the Microsoft recommended path for most new or repurposed devices, especially when using modern deployment tools like Windows Autopilot 

@Herman Arnedo Mahr I'm pleasantly surprised to see you/MSFT state that so decisively. Thank you.

Great article - having just enabled co-management and hybrid join, the scenarios such as GPOs and how to shift away from legacy apps is very useful.

Nice overview. But HAADJ+Autopilot is recommended by MS, but it not listed here. Practically HAADJ+Autopilot having more time-consuming implementation, operational changes were there. Do you agree?

Any comments from others welcome. 

Is it possible to only to move workloads only for a subset of one's devices? For example move the windows update workload only for a number of surface devices that are HAAD joined. Then have everything else being managed the traditional way.

@BitwinTheSheets Starting in version 1906, you can configure different pilot collections for each of the co-management workloads. Being able to use different pilot collections allows you to take a more granular approach when shifting workloads. 

Please check the following links and if you have any questions, don't hesitate to ask! 

• Co-management workloads - Configuration Manager | Microsoft Docs
• Enable co-management - Configuration Manager | Microsoft Docs

This is a great article and well explained :)

What about those scenarios that fall into the category of 'co-existence' where existing devices are managed by 3rd Party MDM providers?

Good article and needed. Thanks.

@Vadivelu_B This statement is not correct: "But HAADJ+Autopilot is recommended by MS". We fully support doing this, but as @Herman Arnedo Mahr calls out, this path is not ideal, and our recommendation is for organizations to embrace AADJ for new devices as soon as possible. We understand that it's not an on/off proposition for most organizations which is why we will continue to support HAADJ + Autopilot, however, don't conflate support with recommendation. Our clear and stated direction is and always has been to move orgs to the cloud. This direction has been clearly reinforced over the last 18 months with dependencies to on-prem only resources (like Active Directory) becoming a major obstacle and productivity inhibitor for many organizations.

Great article but I'd like to propose an additional scenario that is holding us back from embracing AADJ for new devices, Certificate Services. We use an MS Enterprise PKI built on top of our AD for all the things it's great at. If my devices aren't ADDS joined I lose a lot of the automated features that platform provides for cert management.

We're actively moving our GPOs to modern policies, we've got software deployment pivoting from ECM to Intune and have a solution for printing, but the PKI requirement has us stumped. Is there a solution we haven't thought of or perhaps are MS looking at a PKI add-on for AAD?

Hi @DonalC, secure certificate deployment in a cloud-first world is a challenge particularly since this needs to account for all platforms that we currently manage (or those that we may manage in the future). Because of this, we must use a standards-based toolset to deliver the certs to the endpoints. Because of this, Intune uses a certificate connector that facilitates communication with your existing Enterprise PKI and delivers certs in one of two industry standard methods: SCEP or PKCS. You can read about the Intune Certificate Connector and these two certificate delivery options at Certificate connectors for Microsoft Intune - Azure | Microsoft Docs. If you search the web for Intune Certificate Connector you'll find lots of hits with additional official documentation as well as supplemental documentation from the community.

Hi @Jason_Sandys and many thanks for taking the time to respond. We're actually running the Intune Connector and have it plugged into our MS CA using SCEP. My challenge is this is a lot of on-premise (or Azure IaaS), domain joined infrastructure that needs to be deployed and managed for a working PKI solution.

What I'd love to see is a PaaS based PKI solution built directly into MEM that could be seamlessly integrated into the device lifecycle and connected to systems for functionality such as NAC, AOVPN etc.

If we're moving to the cloud, I really want to move to the cloud, and not have to build masses of on-premise infrastructure to support that move.

Thank you for the feedback. Personally, yes, I'd love to see a PaaS and Azure-based PKI as well. At this time though, we don't have this. There have been hallway-type conversations and investigations (so I'm not alone in this desire), but there are no formal plans or commitments right now. Please use the feedback capabilities within Azure and the MEM admin console to submit this to ensure it receives increased visibility.

Excellent article, explained the difference between co management and Azure ad join very well

Hi Herman,

Thank you for the excellent blog, it clears alot of confusions I had as a beginner to Intune. 

I have some trouble understanding the flow and design. my company has all windows 10 devices joined to on prem AD and managed by sccm. however, there are few windows 10 mobile devices which are domain joined with ccm client installed but rarely connect to network. hence we would like to enroll these mobile devices to intune to manage updates, compliance and access company LOB applications. What is the best/ straightforward approach? 

To enroll a domain joined windows pc with sccm client is co management mandatory?

sorry for the long question, really need your help to move forward.

Thanks

AMK

Hi @khanax0l. Best and straightforward is always in the eye of the beholder and depends on many details specific to your environment, users, management strategy, and usage that are not known.

Based on what you've noted though, your best first step here (IMO) is to implement a cloud management gateway (CMG) in ConfigMgr to enable you to manage these off-prem Windows systems (I suggest not calling them Windows Mobile as that means something different). This will enable you to fully utilize all of the management capabilities that you currently have with ConfigMgr for these off-prem Windows endpoints. 

You can then set about enrolling the Windows endpoints in Intune. The tricky part here for existing endpoints is that they must be hybrid Azure Active Directory joined (technically they could also be Azure AD registered but that's generally only recommended for BYOD type scenarios). To hybrid Azure Active Directory join an existing WIndows endpoint, the endpoint must have connectivity to the on-prem domain. Alternatively, you could also Azure Active Directory join the Windows endpoints, however, there is no direct, automated path to do this for existing WIndows instances meaning that you would have to reset them -- this may or may not be desirable.

Co-management enables ConfigMgr and Intune to simultaneously manage a Windows endpoint. It is not required to enroll an endpoint in Intune, but if will be using ConfigMgr to perform the Intune enrollment, then the result is a co-managed endpoint. Given that you already have ConfigMgr in place, there's no reason to recommend not using co-management.

Thus, moving forward, you have one main initial decision to make: do you want to reset the existing endpoints or not? If not, then you will have to HAADJ them which requires connectivity. If you are OK with resetting them, then you should implement Autopilot which will automatically join the endpoints to AAD and Intune enroll them and then add the ConfigMgr agent to them so that they are co-managed. Note that for new devices, you should be pursing this strategy anyway regardless of whether they are on-prem or not.

Excellent article, very helpful

Good article but I am a little confused when you stated Microsoft endpoint manager is the combination of SCCM and Intune, I currently have my lab setup without any sign of SCCM and I can still use Microsoft Endpoint Manager so not sure on this point

Microsoft Endpoint Manager (MEM) is an umbrella term or suite of products and services really. Intune and ConfigMgr are included in MEM as well as other services including Autopilot, Endpoint Analytics, Group Policy Analytics, and a few others. Thus, saying you "use MEM" is a bit ambiguous and could include one or all of these services, however, using "MEM" does not mean you must have all of these products and services in use or even implemented.

If you don't have ConfigMgr implemented, than some of this article is not applicable to you as co-management is about having both Intune *and* ConfigMgr implement and used to simultaneously manage your Windows endpoints. However, keep in mind that HAADJ and co-management are two different and distinct concepts as Herman calls out -- HAADJ is about device identity and co-management is about device management.

Great Blog - even here year(s) later!

Does HAADJ not work with Autopilot? Your chart above indicates provisioning happens exclusively with OSD and not Autopilot. Is that accurate?

Hi @windex,

What "works" is often what's different from what "works best" or what we recommend. That is the case here. Autopilot definitely works best with AADJ and it is what we strongly recommend customers adopt.

It feels like HAADJ is a necessity for us on account of the things you listed above, a) unmigrated Group Policies, b) legacy apps that use Windows-integrated or LDAP auth, and c) other time-consuming things like 802.1x, wifi, and PKI. Does Autopilot actually 'work' with HAADJ or do we need to abandon Autopilot until we resolve a/b/c?

Yes, it actually works and is fully supported. But, once again, working is not the same as being optimal or providing the best, most complete experience.

As for the unmigrated group policies, this is certainly a journey and not an overnight activity, but the sooner you get started, the sooner you'll be finished.

For legacy apps, use of integrated auth is seamlessly supported without issue or additional configuration on AADJ devices. The overwhelmingly vast majority apps fall into this category and the vast majority of orgs never have any issues with app authentication on AADJ devices.

Don't use the excuse that something is time consuming as a excuse not to do it. The world, and as a result what it takes to support businesses from an IT perspective, has drastically changed over the past five years and not changing with it because it takes time and effort is not a good reason at all. It will take you more time in the long run to try to wedge HAADJ and Autopilot into your existing solutions and process then moving to match our engineering effort and the reality of the modern world and workforce. Additionally, HAADJ will simply never meet the expectations of the modern workforce since that's not what it was ever designed for.

This is a fantastic article, even two years later.  I'm glad to see things like PKI pointed out in the comments, as when I've evaluated moves to embracing only AAD join, that is often one of the bigger roadblocks.  Reading the comments and helpful replies has been great, as it seems like there may be some other options in this area.  That is a subject I'd love to see it's own detailed post on quite frankly.  Something that goes into detail on deploying client certificates to support things like 802.1x with AAD joined PCs would be fantastic.  

But there is another area that I've always gotten a bit hung up on that I'm curious if you can comment on.  One of the benefits to having a device joined to a traditional AD DS domain is the ability to do secure dynamic DNS updates.  I'd imagine a number or organizations who would want to use AAD are also quite likely running a Windows Server DNS infrastructure.  What's the solution for users with an AAD joined device around DNS?  

In an enterprise there are so many applications attached to AD DS - However enthusiastic we get, I am not clear how AADJ will replace all of them. Untill once subscribe to full Microsoft vision, I am not sure traditional organization can do away with AD completely. 

PKI being the primary and I guess that can be solved with Intune certificate connector. Voice (PBX) System with softphone which identifies based on AD identity. Video conf equipment in the office are again tied to AD. I am sure if we rip and replace and get every conceivable product directly tracking to Azure AD, may be possible. 

Most importantly support: With personal experience the folks who write such fantastic and thorough articles are not in the field. What we get in the field are Fastrack team, which are so green - it is a joke. Their entire purpose is to push bing searched links. The folks interacting with us could not properly explain what's written in this article, short of assisting with deployment. Microsoft tech support esp. with Azure AD is.. let's not even waste energy. 

So overall, though AADJ makes sense, we consider atleast 3~4 year journey before it could culminate in fully getting away from AD DS. 

Hi @neurotoxic 

> In an enterprise there are so many applications attached to AD DS

This is not a technically accurate statement. The apps themselves almost always rely on the core Windows capabilities using built-in authentication libraries and functionality. The applications themselves are wholly ignorant of the exact details of how they contact the directory to request authentication or how to actually perform that auth, they simply pass the info to a built-in function and operate on the returned info. Nothing about AADJ changes this or upsets this functionality. The only difference with AADJ is that Windows needs a little bit of additional info to direct the authentication request to the on-prem domain as this is intrinsically known to an on-prem domain joined device. This little bit of additional info is provided by AAD Connect (see How SSO to on-premises resources works on Azure AD joined devices - Microsoft Entra | Microsoft Lear... for details).

If you have apps that make direct LDAP (or other direct to AD) queries, there's nothing specifically stopping them from being pointed to your on-prem AD. As eldued to above, AADJ does not in any way preclude the use of your on-prem AD or any other directory for that matter. The app simply needs to be able to be pointed to that directory. How each app handles that is an app specific implementation detail that we can't solve specifically and is something you need to engage with the app's vendor on. As noted above, Windows itself is doing this by using a hint provided to it using AAD Connect.

> So overall, though AADJ makes sense, we consider atleast 3~4 year journey before it could culminate in fully getting away from AD DS. 

You'll get no argument or pushback from us on this. We fully acknowledge that this is not an overnight excercise and that this journey may take "many" years for some customers. But every journey starts with a single step (pick your favorite cliche that says the same thing).

As for support and knowledge, note that the author of this post works directly with some of the largest and most strategic Microsoft customers on a daily basis. The team we are on is dedicated to this (we are part of the product group) so we are in general more than just passingly knowledgable. I'm sorry your experience with other resources has not been up to your expectations. I suggest providing that feedback to those teams and using other resources at your disposal including discussing this with your Microsoft account team.

Finally, don't conflate moving to AADJ with getting rid of your on-prem AD. They are not the same thing and while that is a longer term aspiration for us, that is a follow-on step to moving to AADJ and not part of moving to AADJ.

Hi @Aaron Parker ,

I'm not sure if this gives the level of detail that you are looking for, but the official docs has documentation on deploying certs: Learn about the types of certificate that are supported by Microsoft Intune | Microsoft Learn. There are also a number of community guides floating around.

For secure dynamic DNS, can you discuss the bigger scenario here of why you want or need dynamic DNS in the first place particularly in a hybrid world? I'm not saying you don't necessarily, I just want to understand the bigger picture from your perspective and for the ask.

Thanks for the valuable article,

We are currently using Configuration Manager and looking into using Intune co-management. But when we installed Office, users have selected the option to "allow organization to manage my device" so we accidently ended up with thousands of devices registered in Intune (those are domain joined devices currently managed by Configuration Manager). Now when we want to enable co-management, we are looking for the proper way to cleanup Intune from those accidently registered devices, so we can enable Azure AD sync to bring on-premise domain devices into Intune properly and then enable co-management. What is the proper way to do? can we just delete those devices from Intune? we can't ask thousands of users to disconnect work/school account and I couldn't find a way to do that administratively on many computers? Thanks 

As long as the user that registered the device is the same as the one that logs into the device to complete the HAADJ process, the objects will automatically get cleaned up by Windows. See https://learn.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan#handling-d...

Thank you for pointing me in the right direction, much appreciated.

This article can help you to understand to process flow :
https://campbell.scot/hybrid-azure-ad-join-intune-enrollment-prerequisites-checklist-and-process-flo...

Hybrid Azure AD still our options

Hi guys, this article and the comments are great. I'm a sysadmin and have been teaching myself Intune and Autopilot. It's perfect for any new laptops we get, now that we are on 365. There's no purpose for them to join our on prem domain. I've even got apps and policies setup, it's neat to see it all flow to a laptop after signing in with my 365 creds.

Desktops are a different story. Our current setup is that access to our network has to be authenticated with our domain. My net admin mentioned Palo may have something to interact with AAD but we are looking into it. Is there a solution you know of where we can convert existing ADDS only PCs and put all new PCs on AAD and still have 802.1x security to our LAN? Also we have an on-prem print server with a ton of printers, how does this factor in?