Remove dependency from on-premises AD

Question

Remove dependency from on-premises AD

Jan Nuaman 426

Hi All,

My Question is more advisory, Idk if someone can help me out.

One of our customers, replicated all users to Azure AD using Azure AD connect, and he is looking to remove the dependency from on-premises AD and Azure AD Connect.

Customer is using AVD and Autopilot for his users.

Is this is something possible to do? or its just imaginary?

Is there any Guide from Microsoft to achieve this job?

ShashiShailaj-MSFT 7,436 Reputation points Microsoft Employee

2022-02-02T19:12:53.96+00:00
@JanNuaman-2253 , As I understand , your client is probably wanting to deprovision the on-prem environment completely . If you are using AVD (classic ) then its not integrated with Azure so you would first require to migrate to current version of Azure Virtual Desktop which is tightly integrated with Azure.This may be possible but there are many different implications for the same. The customer would need to make sure all their devices are Azure AD joined only . If you are using on-premise , your devices may be Hybrid Azure AD joined which you may have to unjoin and join to azure AD again . If you only have few users and small number of devices , it may be possible as per what I have researched on this but there are some known limitations for using Azure AD joined VM only and it will come with complex migration procedures which would be different for different environment .

Azure Virtual Desktop (classic) doesn't support Azure AD-joined VMs.

Azure AD-joined VMs don't currently support external users and only supports local user profiles at this time.

Azure AD-joined VMs can't access Azure Files file shares for FSLogix or MSIX app attach. You'll need Kerberos auth to access either of these features which needs a line of sight domain controller.

Azure Virtual Desktop doesn't currently support single sign-on for Azure AD-joined VMs.
ShashiShailaj-MSFT 7,436 Reputation points Microsoft Employee

2022-02-02T19:17:28.43+00:00

@JanNuaman-2253 As autopilot i think there should not be any issue as we have Azure AD join available for the devices in this case. As long as you don't have any requirement for accessing any application which only supports legacy authentication methods like kerberos , NTLM you should be good.

ShashiShailaj-MSFT 7,436 Reputation points Microsoft Employee

2022-02-02T19:12:53.96+00:00

@JanNuaman-2253 , As I understand , your client is probably wanting to deprovision the on-prem environment completely . If you are using AVD (classic ) then its not integrated with Azure so you would first require to migrate to current version of Azure Virtual Desktop which is tightly integrated with Azure.This may be possible but there are many different implications for the same. The customer would need to make sure all their devices are Azure AD joined only . If you are using on-premise , your devices may be Hybrid Azure AD joined which you may have to unjoin and join to azure AD again . If you only have few users and small number of devices , it may be possible as per what I have researched on this but there are some known limitations for using Azure AD joined VM only and it will come with complex migration procedures which would be different for different environment .

Azure Virtual Desktop (classic) doesn't support Azure AD-joined VMs.

Azure AD-joined VMs don't currently support external users and only supports local user profiles at this time.

Azure AD-joined VMs can't access Azure Files file shares for FSLogix or MSIX app attach. You'll need Kerberos auth to access either of these features which needs a line of sight domain controller.

Azure Virtual Desktop doesn't currently support single sign-on for Azure AD-joined VMs.
ShashiShailaj-MSFT 7,436 Reputation points Microsoft Employee

2022-02-02T19:17:28.43+00:00

@JanNuaman-2253 As autopilot i think there should not be any issue as we have Azure AD join available for the devices in this case. As long as you don't have any requirement for accessing any application which only supports legacy authentication methods like kerberos , NTLM you should be good.

Remove dependency from on-premises AD

Activity