SOLVED

Intune Connector

Iron Contributor

Do we need Intune Azure Connector installed if we already have an Azure AD connector? This is for Hybrid environment? 

 

26 Replies
best response confirmed by oryxway (Iron Contributor)
Solution

That's for joining devices to your Active Directory and Azure AD. Azure AD Connect is for synchronizing users/groups to Azure AD.

Description of the Intune Connector:
"The Intune Connector for your Active Directory creates autopilot-enrolled computers in the on-premises Active Directory domain. The computer that hosts the Intune Connector must have the rights to create the computer objects within the domain."

https://docs.microsoft.com/en-us/mem/autopilot/windows-autopilot-hybrid

Thanks Harm. But, I see in the Tenant Administration under Microsoft Endpoint Management admin center, I click on Tenant Status it shows Healthy under Connector Status.

Status Connector
Healthy Windows AutoPilot last Sync date todays date and time

This means does it have a Intune Connector installed somewhere or is it from the AD Connector health status?

Another quick question.

Now, let us say we want to do AutoPilot new devices and onboard these devices to Azure AD instead of OnPrem since at one point we may have to move out of OnPrem, then in that case would it be best to directly onboard it to Azure AD and not to OnPrem AD Devices OU?
No problem.. Does the connector show here? https://endpoint.microsoft.com/#blade/Microsoft_Intune_Enrollment/DomainJoinConnectorsBlade

And correct, use the normal Autopilot Deployment profile to join the device to Azure AD only during deployment.
Harm, I was going through a video and they say that the Azure AD Connect does both the user group and devices sync. So, how come this is different you are saying? I am not following.

@Harm_Veenstra 

oryxway_0-1657749515489.png

 

So, we have to install this by clicking on Add and this needs to be done on the WIN2016 server?

Ok :) Azure AD Connect syncs users, groups and devices from Active Directory to Azure AD. It can also sync devices from Azure AD back to Active Directory and even groups now. But... That's just that, has nothing to do with Intune. The Intune connector is only for autopilot enrolling devices and joining them to Active Directory and Azure AD aduring that proces. Normally the device would only join Azure AD during autopilot deployment.

Again, you only need to install and use the Intune connector when you want to join a new device during autopilot to both Azure AD and Active Directory. (It's a connector and not a sync tool)

No, you don't need to install it if you don't use Hybrid join
And this has to be installed on separate server and not on the AD Connect server?
If you want your devices to be hybrid joined, then you can install it. But your question was: "Now, let us say we want to do AutoPilot new devices and onboard these devices to Azure AD instead of OnPrem since at one point we may have to move out of OnPrem, then in that case would it be best to directly onboard it to Azure AD and not to OnPrem AD Devices OU?"

Yes, in that case don't use hybrid join and then you will not need to install the connector.

So, if they are not Hybrid Joined and we have onPrem GPOs etc... that needs to be applied to these devices, will those be applied to those devices?

No, they will not be applied to the devices since they are not joined to Active Directory. You need to replace your GPOs for Configuration Profiles if they are only joined to Azure AD and enrolled to Intune. You can see if your settings from your GPOs are compatible by using https://docs.microsoft.com/en-us/mem/intune/configuration/group-policy-analytics.
Thank you that makes sense and I had to ask this question to my manager since at one point they have to move away from OnPrem to Azure AD. So, a guy in his Nugget Video said that Azure AD connect is sufficient for DEVICES and Groups to be synced, is this still holds true?
That is true, that's the thing that Azure AD Connect is for. The main thing is that it syncs stuff from your on-prem Active Directory to Azure AD, but the source of identity is always Active Directory and changes to users and groups have to be made there. It does sync devices to Azure AD, but that doesn't do anything really. But when you use device-writeback (https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-device-writeback), it does sync/merge Azure AD device with Active Directory devices in a hybrid-join scenario. I wouldn't recommend using hybrid-join unless you have a very good reason for it, people use it for GPOs and file-server access. But with Azure AD only devices you can still access file-servers (https://docs.microsoft.com/en-us/azure/active-directory/devices/azuread-join-sso)

hybrid-join is complex and if you are moving away from Active Directory, enroll new devices using Azure AD only and connect file-servers if you really need to using the article above. (Best would be to move user data to Teams sites and OneDrive in my opinion)
Thank you Thank you. You were of great help. Yes, I would think that would be the correct way to go, but I need to find out.
Again something popped out. So, if we take the route to go Azure AD joined Autopilot deployment, do we still need the Intune Connector? As it is only for Hybrid Azure AD? So, if it is directly joining Azure AD, How will the new devices detect the domain and join in Azure AD?
No, then you don't need the intune connector and correct. Only for hybrid join. New devices will join Azure AD because of the Autopilot profile. There are good how to videos on YouTube and Microsoft Learn covers these topics
Another question in regard to devices being shipped to customers directly. Will Dell or HP send us the hardware hash or will they be able to add it to our Intune portal? How would they do it? Should we provide them access?
It depends on your contract with them or your reseller, some can upload directly and some will send a CSV file which you can import. Please check if they can install the machines using 'enterprise' images. enterprise meaning not the version but a clean Windows install without any bloatware.
Thank you, Harm. That was great info. Now, coming to creating Groups. It says create a device Group in endpoint manager. Now, do we have to create a group in our On Prem AD for devices since this is going to be an On Prem domain join of all devices? From what I see how this project is going, they want to have this up and running soon since we need to ship the devices, so I do not foresee that they are going to take the time to plan to do all AZURE AD joined devices. Since that needs a lot of planning.
1 best response

Accepted Solutions
best response confirmed by oryxway (Iron Contributor)
Solution

That's for joining devices to your Active Directory and Azure AD. Azure AD Connect is for synchronizing users/groups to Azure AD.

Description of the Intune Connector:
"The Intune Connector for your Active Directory creates autopilot-enrolled computers in the on-premises Active Directory domain. The computer that hosts the Intune Connector must have the rights to create the computer objects within the domain."

https://docs.microsoft.com/en-us/mem/autopilot/windows-autopilot-hybrid

View solution in original post