Microsoft 365 Business now supports Azure AD Connect and Hybrid Azure AD Join
Introduction
There are two new capabilities in the Microsoft 365 Business suite that significantly enhance the end-user and device management experience. More information also in this blogpost. The first is that it is now possible to use Azure AD Connect, so you can synchronize your users, groups and password hashes to the cloud. This way you can have a single-sign on experience and additional capabilities such as self service password reset. All the capabilities that are in Microsoft 365 Business compared to Enterprise can be found in the Microsoft 365 Business Service Description.
The second is that it is now possible to register your Windows 10 devices with Azure AD (called Azure AD Hybrid Join). This makes it possible to do co-management on these devices. Co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Intune. It’s a solution that provides a bridge from traditional to modern management and gives you a path to make the transition using a phased approach. More information can be found here: /en-us/sccm/core/clients/manage/co-management-overview
Note that the words Azure AD Hybrid joined imply that you are both joined to on-premises AD and Azure AD, but technically you are actually still joined only to on-premises AD. Instead your device will be registered (and not joined) in Azure AD. More information here: /en-us/azure/active-directory/device-management-introduction
Setting it all up
You can set this all up by first synchronizing your Active Directory with Azure Active Directory, followed by registering the Windows 10 devices within Azure AD. After registering you can enable these devices for mobile device management in Intune.
In my steps below I made the following assumptions:
- First off, your devices needs to be joined to your on-premises Active Directory.
- Secondly, all your devices are running the latest versions of Windows 10.
- Finally, you already have configured and set up Azure AD Connect with password hash sync enabled, so your on-premises users will also exist in Azure AD (see screenshot below).
Note that if you are doing OU filtering, don't forget to include the computer accounts as well, as these are required for Hybrid Azure AD Join.
Once that has been set up, you go back to Azure AD Connect and configure it to setup Hybrid Azure AD Join as outlined in this article:
/en-us/azure/active-directory/connect/active-directory-azure-ad-connect-device-options
Select Configure Hybrid Azure AD join.
Select your Authentication Service and enter your Enterprise Admin credentials.
Select Windows 10 or later domain-joined devices.
Once finished, you should check some of the post configuration tasks that might be required as outlined in this article: /en-us/azure/active-directory/connect/active-directory-azure-ad-connect-hybrid-azure-ad-join-post-config-tasks
From this point onwards:
- All domain-joined devices running Windows 10 Anniversary Update and Windows Server 2016 automatically register with Azure AD at device restart or user sign-in.
- New devices register with Azure AD when the device restarts after the domain join operation is completed.
- Devices that were previously Azure AD registered (for example, for Intune) transition to “Domain Joined, AAD Registered”; however it takes some time for this process to complete across all devices due to the normal flow of domain and user activity.
Verify Joined Devices
Make sure you have installed the PowerShell module for Azure AD as outlined here: /en-us/powershell/azure/install-msonlinev1?view=azureadps-2.0
Connect to the tenant using PowerShell, follow by the commandlet Get-MsolDevice. This should list all de devices that are registered in Azure AD.
Or alternatively you can run dsregcmd /status from the command prompt on the Windows 10 machine to see its device registration status.
The AzureAdJoined field should be set to Yes.
If it doesn't, please check this troubleshooting guide for tips: /en-us/azure/active-directory/device-management-troubleshoot-hybrid-join-windows-current
Summary
With Microsoft 365 Business it is now possible to use Azure AD Connect to synchronize your local Active Directory information into Azure and is a great way to enhance the end-user experience. This capability also unlocks Hybrid Azure AD Join, which will provide a bridge from traditional to modern device management with Microsoft Intune.
If you find any errors in this article, please let me know. Hope this helps!
-Andre