Convert from Azure Registered to Hybrid AD Join with ADFS

Occasional Contributor

Dear all,

 

In my environment, I am using an ADFS on Windows server 2019.

I would like to apply the process to convert Azure Registered computers to Hybrid AD Join states using ADCONNECT server.

 

 

My question is:

Even though I have an ADFS working in my domain, could I use Azure Active Directory as Atuthentication Service instead of my ADFS onprem? (during the process on ADCONNECT to Hybrid AD JOIN computers)

Many thanks

3 Replies

Hi @samppp 

 

i think you’re asking two questions, the first one is converting Azure AD Registered devices to Hybrid Azure AD. The second one is authenticating to Azure AD instead of ADFS farm.

 

Question 1- You need to use GPO if the devices are joined to the domain. If not joined, you need to manually enroll it. 

https://cloudbymoe.com/f/enrolling-workstations-to-intune-using-gpo

 

Question 2- You need to change the setting in your ADConnect to select different Sign in method like Password Sync, Passthrough or Seamless Single Sign On, here is a great post I used back in the day to move away from ADFS. 
https://www.core.co.uk/blog/blog/replace-adfs-seamless-sign-on?hs_amp=true

 

Hope this helps!

Moe

@samppp 

 

Configure Device Writeback in AD Connect and sync the OUs with machines, per Configure hybrid Azure Active Directory join for managed domains.

 

According to MSFT, such devices will convert from Azure AD Registered to Hybrid Azure AD Joined and in most cases will cleanup the old record. It may take a while for all devices to process, though. See: Plan hybrid Azure Active Directory join - Azure Active Directory.

 

Regarding Q2 and @Moe_Kinani's response, yes changing AD Connect would move away from ADFS, but just be aware it'd change the auth flow of the tenant. You could still use ADFS for other federated Relying Parties if needed, just the Office 365 integration would change over to Azure AD auth.

 

Please like and mark this thread as answered if it's helpful, thanks!

 

@Kurt Mayer 

Thanks Kurt for your reply, very helpful for me because I am beginner.

 

My first goal is to convert all of the company's computers to hybrid ADJOINs.


We also have a future goal to get rid of ADFS, so that's why I'm wondering if instead of choosing our ADFS, I could choose Azure AD as the authentication service:

samppp_0-1667380945882.png

Any idea?

Many thanks for your help again,