This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hello.
We have on-prem forest with few domains, all synced to one tenant on Azure. We use autopilot for Windows 11 device deployments. We are using hybrid Azure domain join with Intune-SCCM co-management.
I'm curious if it is possible to use SCCM or other tool to join a device to another on-prem domain after it is deployed. In other words:
Thanks in advance!
MZ
This will not work or be supported as you are fundamentally changing the device's identity and also break the HAADJ as this relies on AAD connect syncing the object to AAD. There is no graceful, supported path to do what you've asked about (or one that actually works to my knowledge). Also, keep in mind that even if this technically could work, you'd be orphaning the user's profiles so the value of doing this in-place is limited at best.
The best, supported path here is to reprovision the endpoints and AADJ them (as we strongly discourage HAADJ for new endpoint provisoining).
Hello Jason
Thank you for your quick and extensive response.
Although I agree with what you said I have to state that we are forced to go Hybrid route. This is because of heavy reliance of many of our security systems on our on-prem AD structure. Pure Azure AD as a flat structure currently does not support all of our (quite complex) needs.
Regards
MZ
Are you familiar with RBAC, Scope Tags, and Azure AD Admin Units? Some of the largest orgs in the world use Azure AD.
Reliance on legacy security systems that have a dependency on an on-prem should not be something that dictates your current and future strategy. Have you begun your Zero Trust journey yet? On-prem AD has very little benefit for Zero Trust.
If I had a say in decision making I wouldn't touch Hybrid.
But I'm part of large enterprise and we have loads of systems and processes that first have to be reengineered before adopting pure AAD. That's why I mentioned our quite complex needs.