Windows 10: "Hybrid Join" vs "Azure AD Workplace Join"

James Chan_110 450 Reputation points
2023-12-25T03:03:57.1766667+00:00

Hi All,

Let's say my company has a 1) classic Active Directory Domains architecture & 2) classic computer system architecture, i.e. including NAS/SAN storage,backup server, tape library, application server, firewall and etc.

And we are deciding to set up "Hybrid Join" or "Azure AD Workplace Join".

My question are:

1)What are the advantage or disadvantage between "Hybrid Join" or "Azure AD Workplace Join".

2)Please specify which one will affect the user's access to internal resources or other resources (e.g, If "Azure AD Workplace Join" is selected, will it affect the user's access to NAS storage? Because we are using the AD Authentication for NAS.)

Thanks.

Microsoft Security | Intune | Configuration
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Windows for business | Windows Client for IT Pros | User experience | Other
Microsoft Security | Intune | Other
{count} votes

2 answers

Sort by: Most helpful
  1. Crystal-MSFT 53,991 Reputation points Microsoft External Staff
    2023-12-26T01:35:30.8+00:00

    @James Chan_110, Thanks for posting in Q&A. Based on my researching, Azure AD Workplace Join is an older method of joining devices to Azure AD, while Hybrid Join is a newer and more feature-rich method. Hybrid Join is recommended for organizations with existing on-premises Active Directory domains. If you have new, refurbished, or refreshed Windows devices that you're provisioning and enrolling, then Azure AD join is recommended. Azure AD join is the default option for new and reset endpoints. If you have existing endpoints that are joined to an on-premises AD domain, including hybrid Azure AD joined, then hybrid Azure AD join is recommended. Devices get a cloud identity and can use cloud services that require a cloud identity.

    Regarding access to internal resources, both Azure AD Workplace Join and Hybrid Join can be used to access on-premises resources. Azure AD Workplace Join can be used to access on-premises resources, but it is recommended to use Hybrid Join for organizations with existing on-premises Active Directory domains. Hybrid Join endpoints require a line-of-sight to the on-premises AD domain controller for initial sign-in and to change passwords. If the domain is down or is unavailable, then users could be blocked from signing in to their endpoints.

    Hope the above information can help.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    2 people found this answer helpful.
    0 comments No comments

  2. Akshay-MSFT 17,956 Reputation points Microsoft Employee Moderator
    2023-12-26T07:51:27.96+00:00

    @James Chan_110

    Thank you for posting your query on Microsoft Q&A, I agree to the above suggestion by Crystal-MSFT and adding onto that would like to share the scenario-based difference among both type of identities:

    Use Microsoft Entra hybrid joined devices if:

    • You support down-level devices running Windows 8.1, Windows Server 2008/R2, 2012/R2, 2016.
    • You want to continue to use Group Policy to manage device configuration.
    • You want to continue to use existing imaging solutions to deploy and configure devices.
    • You have Win32 apps deployed to these devices that rely on Active Directory machine authentication.

    Organizations with existing Active Directory implementations can benefit from some of the functionality provided by Microsoft Entra ID by implementing Microsoft Entra hybrid joined devices. These devices are joined to your on-premises Active Directory and registered with Microsoft Entra ID.

    Microsoft Entra registered/Workplace joined devices:

    The goal of Microsoft Entra registered - also known as Workplace joined - devices is to provide your users with support for bring your own device (BYOD) or mobile device scenarios. In these scenarios, a user can access your organization’s resources using a personal device.

    A user in your organization wants to access your benefits enrollment tool from their home PC. Your organization requires that anyone accesses this tool from an Intune compliant device. The user registers their home PC with Microsoft Entra ID and Enrolls the device in Intune, then the required Intune policies are enforced giving the user access to their resources.

    Another user wants to access their organizational email on their personal Android phone that has been rooted. Your company requires a compliant device and has created an Intune compliance policy to block any rooted devices. The employee is stopped from accessing organizational resources on this device.


    Please "Accept the answer (Yes)" and "share your feedback ". This will help us and others in the community as well.

    Thanks,

    Akshay Kaushik

    1 person found this answer helpful.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.