You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: memdocs/azure-ad-joined-hybrid-azure-ad-joined.md
+24-14Lines changed: 24 additions & 14 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,13 +3,13 @@
3
3
4
4
title: Join your cloud native endpoints to Azure AD
5
5
titleSuffix: Microsoft Endpoint Manager
6
-
description: When moving to or using cloud native endpoints, use Azure AD joined endpoints. When you Azure AD join you endpoints, you can use Windows Autopilot to provision or get devices ready for organization use. Learn more about the benefits to IT admins and end-users.
6
+
description: When moving to or using cloud native endpoints, use Azure AD joined endpoints. When you Azure AD join your endpoints, you can use Windows Autopilot to provision or get devices ready for organization use. Learn more about the benefits to IT admins and end-users.
When moving to cloud native endpoints, you need to understand the differences between Azure AD joined and hybrid Azure AD joined devices.
37
+
Many critical and valuable services, including [Conditional Access](/azure/active-directory/conditional-access/overview) and [Azure AD single sign-on](/azure/active-directory/manage-apps/what-is-single-sign-on), require endpoints to have a cloud identity. For organization owned Windows endpoints, a cloud identity is created when the device is Azure AD joined or Hybrid Azure AD joined
38
38
39
-
To summarize:
39
+
When moving to cloud native endpoints, you need to understand the differences between Azure AD joined and hybrid Azure AD joined devices:
40
40
41
-
-**Azure AD joined** (AADJ): Device are joined to an Azure Active Directory (Azure AD). They're not joined to on-premises Azure AD.
41
+
-**Azure AD joined** (AADJ): Devices are joined to an Azure Active Directory (Azure AD). They're not joined to on-premises Azure AD.
42
42
43
43
For more specific information, see [Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join) (opens another Microsoft website).
44
44
45
-
-**Hybrid Azure AD joined** (HAADJ): Device are registered in Azure AD and joined to an on-premises AD domain.
45
+
-**Hybrid Azure AD joined** (HAADJ): Devices are registered in Azure AD and joined to an on-premises AD domain.
46
46
47
47
For more specific information, see [Hybrid Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join-hybrid) (opens another Microsoft website).
48
48
49
49
This feature applies to:
50
50
51
51
- Windows cloud native endpoints
52
52
53
-
This article describes the differences between Azure AD joined and hybrid Azure AD joined devices. For an overview of cloud native endpoints, and their benefits, go to [What are cloud native endpoints?](cloud-native-endpoints-overview.md).
53
+
This article describes some of the differences between Azure AD joined and hybrid Azure AD joined devices. For an overview of cloud native endpoints, and their benefits, go to [What are cloud native endpoints?](cloud-native-endpoints-overview.md).
54
54
55
55
## Azure AD joined
56
56
@@ -60,7 +60,7 @@ The endpoint is joined to Azure AD. It's not joined to an on-premises AD domain.
60
60
61
61
To join Windows endpoints to Azure AD, you have some options:
62
62
63
-
-**Use [Windows Autopilot](/mem/autopilot/)**. Windows Autopilot guides users through the Windows Out of Box Experience (OOBE). When users enter their their work or school account, the endpoint joins Azure AD.
63
+
-**Use [Windows Autopilot](/mem/autopilot/)**. Windows Autopilot guides users through the Windows Out of Box Experience (OOBE). When users enter their work or school account, the endpoint joins Azure AD.
64
64
65
65
All devices registered with Windows Autopilot are automatically considered organization owned devices. Windows Autopilot is one of the most adopted approaches by organizations, big and small, to get their devices joined to Azure AD, and managed by IT.
66
66
@@ -117,17 +117,27 @@ For information on how to register your existing domain joined devices to Azure
117
117
-[Configure hybrid Azure AD join for managed domains](/azure/active-directory/devices/hybrid-azuread-join-managed-domains)
118
118
-[Configure hybrid Azure AD join for federated domains](/azure/active-directory/devices/hybrid-azuread-join-federated-domains)
119
119
120
-
For new, refurbished, or refreshed Windows devices, Microsoft recommends [Azure AD joined](#azure-ad-joined) (in this article).
121
-
122
120
## Which option is right for your organization
123
121
124
-
Many critical and valuable services require endpoints to have a cloud identity including [Conditional Access](/azure/active-directory/conditional-access/overview) and [AAD single sign-on](/azure/active-directory/manage-apps/what-is-single-sign-on). For corporate owned Windows endpoints, you achieve this by either hybrid AAD joining or AAD joining them. Thus, there should be no question of of whether your endpoints should have a cloud identity, but instead you should choose which, HAADJ or AADJ, is right for your endpoints. HAADJ and AADJ are not mutually exclusive, both can coexist in the same environment. However, HAADJ should not be your organization's end goal for its Windows endpoints and having both may increase the environment's complexity which may translate into additional support costs.
122
+
The right option depends on your environment, your endpoints, and your organization goals. When making this decision, you need to consider the future and long term impact.
123
+
124
+
Consider the following scenarios:
125
+
126
+
| Scenario | AADJ or HAADJ |
127
+
| --- | --- |
128
+
| You have new endpoints or can reset existing endpoints | ✔️ Azure AD join <br/><br/> If you have new, refurbished, or refreshed Windows devices, then Azure AD joined is recommended. Windows 10/11 has modern features built in to the OS, including modern management, modern authentication, and more. AADJ should be your default option for new and refurbished endpoints. <br/><br/> It's possible there will be blockers and challenges outside of Microsoft's control that can prevent your organization from fully adopting AADJ. There may also be unknown blockers that are specific to your organization and its configuration or expectations. These blockers can be technical or happen due to other, non-technical factors.<br/><br/>If you identify a potential blocker that's preventing you from using AADJ, then determine the scope, impact, and solution. The [High level planning guide to move to cloud native endpoints](cloud-native-endpoints-planning-guide.md) may help.<br/><br/>❌ Hybrid Azure AD join<br/><br/> You can use HAADJ for new endpoints, but it's typically not recommended. When joined using HAADJ, you might not get to use the modern features built into Windows 10/11. For example, you must use Group Policy Objects (GPO) to manage HAADJ endpoints, which can be complex, cumbersome, and possibly costly. |
129
+
| Endpoints can't be reset or reprovisioned | ❌ Azure AD join <br/><br/> Existing devices joined to an on-premises AD domain must be reset to become Azure AD joined. If they can't be reset, then AADJ isn't possible. <br/> <br/>✔️ Hybrid Azure AD join<br/> <br/>If you have existing endpoints that are joined to an on-premises AD domain, and can't be reset, then Hybrid Azure AD joined might be the easiest option for your organization. Devices get a cloud identity and can use cloud services that require a cloud identity. This option typically has minimal impact to end users. |
130
+
| You have new endpoints and have existing AD joined endpoints that can't be reset | ✔️ Azure AD join <br/><br/> AADJ should be your default option for new, refurbished, or refreshed Windows devices. <br/><br/> ✔️ Hybrid Azure AD join<br/> <br/> If you have existing endpoints that are joined to an on-premises AD domain, and can't be reset, then Hybrid Azure AD joined might be your only option. <br/> <br/> Hybrid Azure AD joined and Azure AD joined aren't mutually exclusive, and can coexist in the same environment. Having a mixed environment does increase complexity, maintenance tasks, and support costs. But, you can use HAADJ until those endpoints can be replaced or reset. Remember, Hybrid Azure AD joined shouldn't be your organization's end goal. |
131
+
| You want to be cloud-only, and remove dependency to on-premises | ✔️ Azure AD join <br/><br/> ❌ Hybrid Azure AD join<br/><br/> |
132
+
| You want to manage endpoints using MDM policies | ✔️ Azure AD join <br/><br/> Microsoft Intune, which is a 100% cloud solution, can manage Windows client devices. Intune has many built-in features and settings that can manage settings, control device features, help secure your endpoints, and more. <br/><br/>The [High level planning guide to move to cloud native endpoints: Intune features you should know](cloud-native-endpoints-planning-guide.md#intune-features-you-should-know) lists some of these features.<br/><br/>❌ Hybrid Azure AD join<br/><br/> On HAADJ endpoints, you must use group policies objects (GPO) to control policy settings. If you enable [co-management](/configmgr/comanage/overview.md) (Intune (cloud) + Configuration Manager (on-premises)), then you can use some Azure AD features, such as conditional access. <br/><br/>For some guidance, go to [Deployment guide: Setup or move to Microsoft Intune](/intune/fundamentals/deployment-guide-intune-setup.md). |
133
+
| You want to eliminate on-premises AD for authentication and sign-on | ✔️ Azure AD join <br/><br/> User identities are created and stored in Azure AD. Users can sign in to their endpoints from anywhere and at any time. If you use [passwordless authentication](/azure/active-directory/authentication/concept-authentication-passwordless), then users might not need internet access. <br/><br/>❌ Hybrid Azure AD join<br/><br/> HAADJ endpoints require a line-of-sight to the on-premises AD domain controller for initial sign-in and to change passwords. If the domain is down, or there isn't any internet access, then users can't sign in to their endpoints. |
134
+
| You need to access on-premises resources | ✔️ Azure AD join <br/><br/> AADJ endpoints can access on-premises resources, and can use single sign-on. For more specific information, go to [Cloud native endpoints and on-premises resources](cloud-native-endpoints-on-premises.md).<br/><br/>✔️ Hybrid Azure AD join<br/><br/> |
135
+
125
136
126
-
For existing endpoints that cannot be reset or reposivioned, enabling HAADJ is generally the path of least resistance for most organizations. This allows these devices to have a cloud identity and to use cloud services that require a cloud identity without initial impact to end-users or the organization.
137
+
Search: HAADJ vs AADJ
127
138
128
-
For newly provisioned Windows endpoints, you should strongly consider only using AADJ whenever possible. Choosing HAADJ for newly provisioned devices leads to additional envrionmental complexity and costs because of this complexity. There are some known blockers and challeneges outside of Microsoft's control that may prevent your organization from fully adopting AADJ for newly provisioned Windows endpoints. There may also be unknown blockers that are specific to your organization and its configuration or expectations. Note that these blockers may be technical in nature or they mat arise due to other, non-technical factors.
In general, AADJ should be the default choice for organizations for newly provisioned Windows endpoints and HAADJ should only be considered when an identified and impactful blocker is discovered. Because HAADJ should not be the goal for any Windows endpoints in an envrionment, simple identification of the blocker should be the beginning of an investigation and not the end. Once identified, your organization can determine the scope of the impact and paths to overcoming these blockers which may vary between organizations and will be based on the nature of the blocker.
Copy file name to clipboardExpand all lines: memdocs/cloud-native-endpoints-planning-guide.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,7 +9,7 @@ author: MandiOhlinger
9
9
10
10
ms.author: mandia
11
11
manager: dougeby
12
-
ms.date: 05/03/2022
12
+
ms.date: 05/19/2022
13
13
ms.topic: conceptual
14
14
ms.service: mem
15
15
ms.subservice: fundamentals
@@ -451,7 +451,7 @@ Intune also has built-in features that can help you configure your cloud native
451
451
452
452
For more information, go to [Group Policy Analytics in Endpoint Manager](/mem/intune/configuration/group-policy-analytics).
453
453
454
-
-**[Settings catalog](/mem/intune/configuration/settings-catalog)**: See all the settings available in Intune, and create, configure, & deploy a policy using these settings. If you create GPOs, then the settings catalog is a natural transition to cloud native endpoint configuration.
454
+
-**[Settings catalog](/mem/intune/configuration/settings-catalog)**: See all the settings available in Intune, and create, configure, & deploy a policy using these settings. [Tasks you can complete using the Settings Catalog in Intune](/intune/configuration/settings-catalog-common-features.md) may also be a good resource. If you create GPOs, then the settings catalog is a natural transition to cloud native endpoint configuration.
455
455
456
456
When combined with [Group Policy Analytics](/mem/intune/configuration/group-policy-analytics), you can deploy the policies you used on-premises to your cloud native endpoints.
0 commit comments