hybrid azure ad join - cannot join intune

Elroy1986 1

currently, my company uses Azure virtual desktop and machines are azure ad joined. we have no local servers so never had the need for local ad or file servers. we are in the process of trialling a ZTNA solution that allows local access to azure resources i.e. network drives. using the solution, we have managed to get devices hybrid joined. the process involved disconnecting the device from azure ad then joining local ad (DCs in azure). this seems to work, dsregcmd doesn't return any errors and the devices show up in active directory and azure ad. the problem is that the old device still appears in intune and has a different device ID. I've had to delete the device but the new device doesn't get joined back to intune. any ideas?

Crystal-MSFT 42,956 Reputation points Microsoft Vendor

2022-02-07T05:37:25.407+00:00

@Elroy1986 , Hope things are going well. I am writing to see if the following suggestions can help. if there's anything else we can help, feel free to let us know.

3 answers

VipulSparsh-MSFT 16,231 Reputation points Microsoft Employee

2022-01-31T09:29:44.047+00:00

@Elroy1986 If any of the solution you are implementing needs the device to be removed from Intune and then perform something on the device, it is advised to remove the Device from Intune first and then perform other steps.

Otherwise it creates Stale Entry and any attempt to perform another enrollment for same device will cause new entries and there is no way of the device knowing that it has to join with some other entry.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Jason Sandys 31,151 Reputation points Microsoft Employee

2022-01-31T19:47:05.07+00:00

we have managed to get devices hybrid joined

Why are you doing this? If you have nothing on-prem, hybrid joining them makes no sense (even if you did have anything on-prem, this probably doesn't make sense either).
Please sign in to rate this answer.
Crystal-MSFT 42,956 Reputation points Microsoft Vendor

2022-02-01T02:34:28.673+00:00

@Elroy1986 , Agree with Jason, If there's no need for local AD, we can consider deploying Azure AD join VM and enroll with Intune. Here is link for the reference:
https://learn.microsoft.com/en-us/azure/virtual-desktop/deploy-azure-ad-joined-vm#deploy-azure-ad-joined-vms

As a note: managing Azure Virtual Desktop session hosts using Microsoft Endpoint Manager (Intune) is currently only supported in the Azure Public cloud..

Hope it can help.

Yonathan Grunewald 1 Reputation point

2022-07-13T16:38:16.783+00:00

Hello Jason,
We have a use case where it does make sense to want to hybrid join avid machines that are also adds joined.
If we want to enjoy seamless SSO with azure & office services, enroll the wvd to intune, while enjoying the benefits of ADDS like Kerberos and legacy protocols for on-prem connectivity.

Jason Sandys 31,151 Reputation points Microsoft Employee

2022-07-13T17:07:27.59+00:00

Authentication to ADDS and SSO works fine for AADJ Windows endpoints so that's not a valid conclusion: https://learn.microsoft.com/en-us/azure/active-directory/devices/azuread-join-sso

Yonathan Grunewald 1 Reputation point

2022-07-13T17:15:48.053+00:00

We started with AADJ machine but couldn’t join them to the adds. We then later read that if a machine is AADJ it cannot join an adds domain. But I may be wrong.
We want to have AVD workstations that allow connectivity to on-prem resources with Kerberos etc but without having a DC vm with line of site to our on-prem DCs. We also want to manage those avd with Intune.

Jason Sandys 31,151 Reputation points Microsoft Employee

2022-07-13T17:22:11.483+00:00

Correct, a Windows endpoint can only join one domain, however, that's not significant as an endpoint does not have to be joined to your on-prem domain for authentication to succeed. Please see the doc I linked to above.

Authentication always requires line of sight to a domain controller regardless of what domain the endpoint is joined to so your goal as stated, is not possible.

Yonathan Grunewald 1 Reputation point

2022-07-13T17:25:06.843+00:00

Isn’t that one of the points for using Azure ADDS? To eliminate the on-prem dependencies?

Jason Sandys 31,151 Reputation points Microsoft Employee

2022-07-13T17:39:18.89+00:00

Azure AADS is something completely different and doesn't support HAADJ and is only supported for VMs hosted in Azure IaaS. Also, just joining an endpoint to Azure ADDS doesn't change the authentication used by your on-prem applications that use your on-prem AD for authentication. Ultimately, you're conflating authentication with domain join. The two are only lossley related and collaborative, but not tightly coupled or dependant.

Yonathan Grunewald 1 Reputation point

2022-07-13T19:16:35.7+00:00

Thanks for taking the time to explain.
As per https://learn.microsoft.com/en-us/azure/virtual-desktop/deploy-azure-ad-joined-vm#known-limitations

“ We currently recommend Azure AD-joined VMs for scenarios where users only need access to cloud-based resources or Azure AD-based authentication.”

This sent us searching for a way to provide the WVD users ways to authenticate to on prem resources, and that’s where we found Azure AD DS.
I’m starting to see our misunderstanding of what Azure AD DS was supposed to solve.

Regarding managent, i can see here:
https://learn.microsoft.com/en-us/azure/virtual-desktop/prerequisites#session-hosts
The last bullet states “ If you're joining session hosts to an Azure AD DS domain, you can't manage them using Intune.”
So that settles it.

Jason Sandys 31,151 Reputation points Microsoft Employee

2022-07-13T19:35:49.14+00:00

AVD and AADJ is a newer and lagging scenario which still has some gaps that we are working on closing. Thus, for the time being, HAADJ+AVD is still acceptable particularly since AVD is much more flexible and easier to manage when it comes to provisioning as compared to actual, physical endpoints.

Azure ADDS is not a lift and shift of on-prem AD to Azure and is meant more of a last resort to lift and shift "legacy" on-prem apps to be hosted in Azure that have a hard dependency on ADDS and can't be easily modified (or modified at all) to use another IdP for authentication or authorization. Azure ADDS also lacks many capabilities when it comes to end-user endpoints like group policy.

Just to reiterate as well, authentication always requires line of sight to an identity authority to issue tickets or tokens. In the AD world, that's a domain controller. With older protocols like NTLM, an application could authenticate on your behalf, but this is attack vector just waiting to be exploited and is not generally a characteristic of more modern auth protocols like Kerberos (from memory, it is technically possible in kerberos, but not enabled by default and even when enabled, it has to be enabled in a very tightly constrained manner).
Sign in to comment
Lee Lacy 11 Reputation points

2022-02-01T15:17:43.403+00:00

If you have Azure AD DS setup and configured, then it is possible to join to an AD in the cloud and not on premise. What I believe the issue is, that you don't have the Intune Connector setup which helps manage duplicate devices objects. Yes, when you delete that first object, it is the object that the authentication is happening against, so yes, that does block auth. Setup and configured the Intune Connector. windows-autopilot-hybrid
Please sign in to rate this answer.
Jason Sandys 31,151 Reputation points Microsoft Employee

2022-02-01T16:32:21.327+00:00

Sorry, need to (hopefully gently) correct the above. Azure AD and Azure AD DS are two completely different things/services. AADDS is for VMs hosted in Azure only and is unrelated to HAADJ or the Intune Connector. The Intune Connector is also completely unrelated to managing objects, duplicate or otherwise and is only used within the context of Autopilot.

AADDS reference: https://learn.microsoft.com/en-us/azure/active-directory-domain-services/overview
Intune Connector reference: https://learn.microsoft.com/en-us/mem/autopilot/windows-autopilot-hybrid
Sign in to comment