AD Connect and Hybrid AD Join Devices

Question

Hi everyone, I'm in need of using AD Connect to Hybrid AD Join systems from our on-premises environment. This is a requirement for using conditional access control later, apparently there are controls that can be enabled based on the Hybrid AD Join status.

Anyway, AD Connect is installed and working, we were already synchronizing user account successfully using Pass-Through authentication rather than hash. I went back into the AD Connect config and enabled Hybrid Azure AD Join and created the SCP.

I then went into the "Synchronization Service Manager" and configured the "Connection" for our on premises domain, Domain.local for example. Selected properties > Configure Directory Partitions > Containers, then enabled sync for a test OU of a couple of Windows 10 workstations. Those machines were added to Azure AD devices and after some time report as Hybrid Joined. Great!

My question stems from the below screenshot. In our case I really would only ever want Windows 10 workstations to become hybrid AD join. We have servers (2008, 2008 R2, 2012 R2, 2016, and 2019) joined to AD as well as some intermittent Windows 7 and Windows 8. Yes I know we need to get these old operating systems removed.

Anyway, I would really like to just point the AD Connect sync service at the entire OU tree we use for servers and workstations and have it only sync and hybrid join Windows 10 workstations. What exactly does this checkbox do labeled "Windows 10 or later domain-joined devices." Technically Windows Server 2016 nd 2019 are built on a similar kernel, would this include servers?

Additionally, is there any danger to hybrid joining all of our workstations? Are there any policies or new behaviors to be aware of by hybrid joining systems or is it silent for the most part? What happens if a hybrid domain joined system is moved out of a synchronized OU down the road? Is it removed from the Azure domain automatically? Can it be added back easily or does this present a problem?

Answer 1

@AdamTyler-3751 Thanks for reaching out.

For hybrid Azure AD join, windows server also get connected to Hybrid AAD Join state if they are present in the OU which is getting synced. There will be no impact and behavior change as such.
This just help facilitates Single sign on and can help in conditional access.

If you remove the computer object from the OU, the portal will get deleted from Azure as removing the object from sync scope is considered as a deletion. (But the entry remains on the portal for longer duration as stale entry.) Read this to check how you can manage the stale entries : https://learn.microsoft.com/en-us/azure/active-directory/devices/manage-stale-devices
moving the object again to the OU will sync the machine again, but will create new entry.

-----------------------------------------------------------------------------------------------------------------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Answer 2

@VipulSparsh-MSFT So you are saying If lets say I have two OUs OU-A and OU-B, OU-A have my clients systems and OU-B have my servers (2008 to 2022).

In my ADConnect, OU-A & OU-B are synced with AZURE AD.

I intend to hybrid join my client systems to enroll them in Intune, I run the Hybrid Azure AD wizard...

Here comes the fear, will my servers present in OU-B also be hybrid AZURE ad joined?

I have read somewhere that hybird azure AD technology is only for windows 10 or later not for Servers.

If you could please confirm. Because it is going to be a huge change if there is any impact on my servers.

Or do you suggest I should unsync OU-B so hybird azure AD wizard have no impact on this?

Thanks,
Shahzaib