Hybrid Join with Entra Domain Services

Question

Hybrid Join with Entra Domain Services

FoHe 5

Hi all, do you know if it is possible to do a hybrid join with entra domain services? There is no local AD DS and no Entra connect. (We want to stay with the Entra Domain Services, but also want to use intune to manage the clients) thanks Andreas

JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator

2024-02-26T22:06:32.1966667+00:00

@FoHe
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

2 answers

Your answer

JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator

2024-02-26T22:06:32.1966667+00:00

@FoHe
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

Answer 1

Hi @FoHe

Thank you for posting your query on Q&A.

For your query, I understand that you would like to know is it possible to do a hybrid join with Entra Domain Services without a local AD DS and Entra Connect.

Hybrid join is a feature in Azure AD that allows you to have devices that are both joined to your on-premises Active Directory Domain Services (AD DS) and registered in Azure AD. This way, you can use both the on-premises and cloud-based tools and services to manage and secure your devices.

Entra Domain Services is a cloud-based domain service that provides domain join, group policy, and LDAP access to Azure VMs. It does not require a local AD DS or Azure AD Connect.

Intune is a cloud-based service that provides mobile device management, mobile application management, and PC management capabilities. It can manage devices that are joined to Azure AD or hybrid-joined to on-premises AD.

For hybrid join you need to have a local AD DS and Entra Connect to configure Microsoft Entra hybrid join. Without these components, you cannot sync your devices to Microsoft Entra ID and leverage the benefits of hybrid join. So, it is not possible to do a hybrid join with Entra Domain Services without a local AD DS and Entra Connect.
However, if you do not have the AD DS you can join the device to Microsoft Entra ID

I hope this information helps! please Feel free to ask any questions you may have.

Reference: https://learn.microsoft.com/en-us/entra/identity/domain-services/scenarios

https://learn.microsoft.com/en-us/entra/identity/devices/concept-hybrid-join

Thanks,

Akhilesh.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Akhilesh Vallamkonda 15,320 Reputation points Microsoft External Staff Moderator

2024-02-26T04:19:44.3666667+00:00

Hi @FoHe
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Akhilesh Vallamkonda 15,320 Reputation points Microsoft External Staff Moderator

2024-02-28T04:09:17.6966667+00:00

Hi @FoHe Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Answer 2

Thameur-BOURBITA 36,261 Moderator

Hi @FoHe

If you don’t have a onpremise domain, you can join Windows computer to AZure AD via Azure AD feature to be managed by intune :

User's image

Fore more details you can refer to :

https://support.microsoft.com/en-us/account-billing/join-your-work-device-to-your-work-or-school-network-ef4d6adb-5095-4e51-829e-5457430f3973

The hybride join configuration is used when you have a hybrid envirement that means an on-premise domain synced to Entra ID through Entra Connect. You don’t need to use this configuration to join computer to Azure because you don’t have a onpremise domain.

Please don’t forget to accept helpful answer

FoHe 5 Reputation points

2024-02-23T09:51:33.57+00:00

Hi, thank for your answer, if i understood correct, it is not possible to hybrid join devices which are to the entra domain services?
Thameur-BOURBITA 36,261 Reputation points Moderator

2024-02-23T14:27:40.22+00:00

Hi @FoHe

No it's not possible because we can talk about hybrid join only when you have devices joined to on-premise domain and synced to Entra ID through Entra Connect server.

Please don't forget to accept helpful answer
Tony Reynolds 0 Reputation points

2025-06-10T14:28:23.4533333+00:00

If your host is joined to an Entra DS domain, you don't get the option to "Join this device to Azure Active Directory". Without hybrid join, a host can only be 'joined' or 'connected' to a single domain service at a time. As far as I can tell, you CAN NOT join your host to an Entra ID if it is already connected to an Entra ID Domain Service. This is completely idiotic of Microsoft. We only have an Entra DS domain because Microsoft, in another idiotic move, didn't enable kerberos or an alternate authentication/encryption method for connecting to a file share in Azure Storage and assigning permissions to files and folders via groups, as we have always done on-prem. So you need Entra DS in order to access file shares, but if you do that, then you don't get to join Entra ID and gain access to Intune. Its one or the other. Really stupid move, Microsoft.

Share via

Hybrid Join with Entra Domain Services

2 answers

Your answer