Event banner
Event details
30 Comments
- Heather_Poulsen
Community Manager
Links referenced in this session:
- https://learn.microsoft.com/azure/active-directory/devices/
- https://learn.microsoft.com/azure/active-directory/devices/azuread-join-sso
- https://learn.microsoft.com/azure/active-directory/hybrid/how-to-connect-sync-configure-filtering
- https://learn.microsoft.com/azure/active-directory/devices/concept-primary-refresh-token
- How do we access the four links in the video?
- MrsKellyC
Microsoft
Here go you -
Azure AD device identity documentation
https://learn.microsoft.com/en-us/azure/active-directory/devices/
How SSO to on-premises resources works on Azure AD joined devices
https://learn.microsoft.com/en-us/azure/active-directory/devices/azuread-join-sso
Azure AD Connect sync: Configure filtering
Primary Refresh Token (PRT) and Azure AD
https://learn.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token
- Are there any plans to be able to manage a server in AAD? Ex: We in the process of migrating our devices to AAD only (even though we have a hybrid AAD environment). How can I secure a file server WITHOUT needing to join the device to the local AD domain? We are using the Azure Active Directory connect for SSO to access the file server shares, but found I need the local domain policies to manage the server. So the workstations are only AAD joined, but the file server is Hybrid AAD joined.
- DaveD-MS-CETS
Hi Brandon,
Windows Admin Center is a browser based tool set that enables you to manage Windows servers with no Azure or cloud dependency. You can install the gateway on a Windows server or domain joined Windows 10, then connect from Edge or Chrome browser. Windows Admin Center Overview | Microsoft Learn
- Heather_Poulsen
We’ll continue to answer questions here in the chat for the rest of the half hour and we’ll check back throughout the week. For bonus content, make sure to check out our Technical Takeoff Demo Channel!
We’re happy you’re here with us at the Microsoft Technical Takeoff! Whether you are attending one session or many, please take this 2-minute survey and let us know your thoughts on this event.
- Curious what methods people are using to deploy shortcuts/drive maps in this AADJ scenario. There is a website out there on github that will create a powershell script that you push via Intune that creates a scheduled task that maps the drives. Would be nice if there was a shortcut / drive-mapping setting right in Intune to make that easier. How are you all handling this?
- Joe_LurieUltimately, because you know have the ability to import custom ADMX files into Settings Catalog, Rudy's script is perfect for this scenario. Following up on Erin's answer as well, this is the ultimate goal - move your shares to SharePoint Online. Understandably, this won't be done overnight, so you can use Rudy (he's an Intune MVP) blog to accomplish this in the meantime.
- Sharepoint Online has had its own challenges. people want their 's' drive and 'h' drives!!!!. Access and security management is no longer centralized. Covid accelerated some of these technologies with little to no proper planning. We're still trying to clean up this mess. It was essentially a company wide pilot!
Still using Group Policy for Drive Maps etc. as we are HAADJ, while company data migrates to OD/SP/etc. For Start Menu shortcuts we deploy an Intune web link app.
Something like this? just upload the admx into intune and define it? https://call4cloud.nl/2021/03/willy-wonka-and-the-drive-letter-factory/
- We looked at this as well but it only allows flat drive mapping (i.e. drive letter A can only point to one file path), so if that's all you need this could work. In our environment we map different drive letters to different paths depending on security group membership, which this doesn't seem to be able to do 😞
- We have process that run as SYSTEM (such as service) that need to access file share. It works for HAADJ because we grant the AD computer access to the share but for AADJ, there is no way to grant access. What would be the "work around"?
- DaveD-MS-CETS
Hi Anthony, apps running on the AADJ joined device can authenticate as users, but must use the implicit UPN or NT4 type syntax with the domain FQDN name as the domain part. E.g user@contoso.corp.com or contoso.corp.com\user.
Apps and resources using Active Directory machine based authentication don't work because the AADJ devices don't have a computer object in AD.
- Can you please post the links shown in the last slide?
Azure AD device identity documentation
https://learn.microsoft.com/en-us/azure/active-directory/devices/
How SSO to on-premises resources works on Azure AD joined devices
https://learn.microsoft.com/en-us/azure/active-directory/devices/azuread-join-sso
Azure AD Connect sync: Configure filtering
Primary Refresh Token (PRT) and Azure AD
https://learn.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token
- Heather_PoulsenWorking on it!
- One issue we encountered with AAD Joined and on-prem resources was how AD management tools (ADUC, DNS) required manual specification of the domains or servers to manage and could not use the auto discovery methods like a domain joined could. Also a bigger issue was that an AAD joined device was unable to manage on-prem certificate services successfully. Templates were unaccessable. Are there going to be any improvements in this regard or will we just need to use a hybrid join for these management tasks?
- Good topic regarding certs! How can we handle certs for device cert based auth for WiFi ?
Dom73Hi Marc and Viktor, For AAD Joined devices, you can distribute certificates with Intune and NDES. You need to install a connector (NDES connector) on an on-premises server and you'll be able to distribute certificates to devices. There's also an option to create and distribute a wi-fi configuration profile on those devices. Please review below links for more information. https://learn.microsoft.com/en-us/mem/intune/protect/certificate-connectors https://learn.microsoft.com/en-us/mem/intune/configuration/wi-fi-settings-configure
- One point regarding Azure AD Connect is, what is about global environment, where clients are across a world. The current architecture support only one Azure AD Connect. Is there some plan to support multiple AD Connects to have less ways until TGT tocken is received?
- KevinMineweaser_MSFT
Hi Viktor,
You are correct that only one AD Connect is supported. As the on prem AD servers continue to always replicate there is only a need for one of them to run AD Connect for the latest updates to be synchronized. If you suspect performance issues the Azure Active Directory Connect Health for Sync can help to diagnose and remediated sync errors. Here's a link for your reference.
https://portal.azure.com/#blade/Microsoft_Azure_ADHybridHealth/AadHealthMenuBlade
Hope this helps,
-Kevin
- Any advice on devices that are already Azure AD Registered and then an organization starts to do Hybrid Azure Ad Join and the devices never merge in Azure AD?
- DaveD-MS-CETS
Hi Josh, Hybrid AzureAD troubleshooting is an area all of it's own, there are some great resources here to guide you through the HAADJ steps and identify which is causing an issue Troubleshoot hybrid Azure Active Directory-joined devices - Microsoft Entra | Microsoft Learn
