Should I use Hybrid Azure AD Join or not?
I consulted with an MSP recently about one of their larger customers, and whether or not to implement Hybrid Azure AD Join for existing Windows workstations (joined to traditional Active Directory). The classic consultant answer of course is, “It depends.” In certain cases, perhaps. But in truth and in practice, I rarely find that this is a good path to pursue anymore, at least in the SMB space. Let’s take some time to examine why this is the case, and, whether there exist any circumstances under which it might still make sense.
Why I no longer recommend Hybrid Join
The first thing to note is that we are now on the other side of the pandemic. During the last few years, we saw an explosion of remote work; indeed, it became the “norm” for information workers almost everywhere. But even prior to this era, we already had trends away from corporate “perimeter-centric” networks, and towards a work-from-anywhere experience. Users were bringing their own devices to work, working more from home or other networks that were beyond the reach of corporate IT, and even signing up for so-called “Shadow IT” apps, in order to facilitate a more attractive, modern flavor of work. The culture at large increasingly exhibited a sort of casual disregard for the way traditional IT departments wanted to run things, when it seemed so much easier to just get work done outside of the pre-existing boundary lines.
In other words, the pandemic just accelerated the inevitable departure from the old path and onto the new one. This is what Microsoft 365 and other cloud ecosystems were created for: to meet people where they are. In a cloud-first, mobile-first world, which we have been talking about for almost a decade now, there is very little need for “on-premises” infrastructure of any kind. And so, especially in the SMB where pre-existing physical infrastructure footprints are minimal anyway, I prefer to just push businesses the rest of the way into the cloud, and eliminate dependencies on legacy systems, wherever possible.
So that is the first reason I tend not to recommend Hybrid Azure AD Join.
We also have to acknowledge that legacy systems such as Active Directory and on-premises Exchange are big targets with many vulnerabilities, and most SMBs do not have the resources to keep up with hardening and protecting these services appropriately. While there is certainly also some expertise required to properly protect a Microsoft tenant in the cloud, the tools are natively available and easy to configure, compared to legacy systems which are more cumbersome and often require third-party tools to “do it well.” This is cost and complexity best avoided. Consolidating into Azure AD with centralized security policies such as Conditional Access, which then integrate with other security tools including Defender for Business, etc., is to be preferred in my mind, over stapling together your own solution on-prem.
What is gained, what is lost?
Now from a functionality standpoint, let us examine what is gained and what is lost when we join our devices directly to Azure AD, versus keeping them joined to a legacy domain, and then “layering on” hybrid after the fact.
On the one hand, hybrid join is an easy and low-touch way of getting workstations registered against Azure AD in a way that tells Microsoft 365, “Hey, this is a corporate device.” The immediate benefit here is that you can start to use Conditional Access policies that leverage this datapoint–maybe you start to restrict access to cloud applications for your non-corporate devices. This is pretty much as simple as running a wizard in Azure AD Connect (which many hybrid organizations already have) and then deploying a GPO that tells workstations to go register themselves with Microsoft as hybrid joined devices.
By contrast, if you wanted to join your existing devices to Azure AD, it means disjoining the corporate domain first, and then rejoining those workstations to Azure AD (or even doing a factory reset and starting over fresh if you want to go the “clean slate” route). This is a lot more work, obviously, and it requires a bit more disruption. In fact, users will be signing into a brand-new desktop profile so it’s like they are getting a new PC.
But once the project is done, you will have removed the dependency on the local AD domain; this is usually a big piece of the puzzle to getting off legacy servers for good. The benefits are enormous: Azure AD joined devices are managed from Intune using MDM policies, rather than GPOs from AD servers. There is no need for VPN connections back to the office in order to push software, manage policies or updates, or anything else. And of course, we still have the same benefit I mentioned above with hybrid joined devices: the cloud knows which devices are corporate owned, managed, and compliant, and which are not.
And for all that is gained, what is lost? Not much. I find that in most cases, even if there is an application or file shares remaining on-premises, it is not usually too difficult to maintain access to these resources, even without the tether of traditional AD join. In my experience, most of the Line-of-Business apps out there do not necessarily depend on Active Directory credentials, and specifically they do not depend on having workstations joined to Active Directory. So normally I find we can authenticate to our “local network” apps whether we are AD joined or Azure AD joined. Of course, it is something you will want to test and confirm; it is possible (though I haven’t run into it yet myself) that you could stumble on a scenario where workstation authentication comes into play.
As for file and print shares: get familiar with the process of moving files to OneDrive, Teams, and SharePoint. Follow my five rules. Leverage other solutions as needed. And even though Microsoft has a “cloudy” print service (Universal Print), almost nobody I know in the SMB space is using it, so look at Printix instead. It integrates nicely with Azure AD and allows you to manage your printers centrally from the cloud.
Where Hybrid Still Has a Place?
All that having been said, is there still a scenario where hybrid might make sense?
Yes, such a scenario is possible, and it would be driven by certain business objectives and budget considerations. Let’s consider a theoretical example. Assume I have an organization with 300 users, spread across half a dozen locations, all joined to legacy Active Directory. This imaginary company also has budgeted out a plan to replace their inventory of workstations over the next three years, replacing roughly 1/3 (100 computers) each year until they are done. They already have a fair amount of hybrid footprint with Exchange Online, OneDrive, Teams, etc., and password sync is already in place. They can easily turn on Hybrid join if they wanted to.
In this case, I say, why not? The risk and effort involved in moving to Hybrid Azure AD join is extremely low. What I would suggest to this organization is that as they replace workstations, they should configure Autopilot and join the devices directly to Azure AD, and never join them to the legacy domain. The existing workstations, however, can be Hybrid joined. This would mean minimal disruption for the existing users, and they would only be disrupted once by their workstation refresh when it comes around. In the meantime, they can get the additional security benefits of hybrid because your Conditional Access policies can grant full access to devices either Hybrid joined or compliant with Intune. It’s win-win as far as I can see.
However, note that I would not go as far as implementing Autopilot to support Hybrid join scenarios. Microsoft themselves have said that you should prove Azure AD Join does not work for your organization first, before implementing Autopilot for Hybrid Join. This is because Autopilot’s purpose is to provision new computers–and if you are doing that, then the preferred path is to go right to Azure AD Join. The Hybrid Join option is really just there to support the legacy stuff until you can move off it, like a softer on-ramp. Therefore, I would struggle to design a long-term hybrid co-existence scenario that would call for new computers to become hybrid joined like the old ones. There would have to be a very compelling business reason to do so (it might exist, again, I just haven’t witnessed it in the SMB space myself).
So, hybrid join is not without its place. But in these post-pandemic days, I still find these scenarios to be the exception and not the rule. If instead we were dealing with a smaller network of say 50 users, and we had the opportunity to just “rip the band-aid off” (whether that meant all new workstations or just re-provisioning old ones), then I would say go with Azure AD Join every time; you won’t really miss out on anything. And again, you should always test to confirm your assumptions, but I personally haven’t found this to be an issue and I advise everyone I work with to go “the rest of the way” into the cloud as soon as possible. Continue to remove those dependencies on legacy infrastructure, and let’s leave the past in the past.
Comments (5)
Sharepoint for legacy file shares. Sure. Have you USED share point for file shares? Have you had users use share point for file shares? I have, and I can tell you, it’s a bad idea. A web page to save files? Upload files to the web just to make them available? It’s a nightmare, and no one likes it.
Sure, you can put everything in the cloud. Lord knows, the internet connection never goes down. /s
Oh, and what about the payment to Microsoft? Thank God that’s so inexpensive. Could you imagine having to pay that bill, no matter the pricing increase, forever?
Microsoft services are remote. You’re going to make your entire infrastructure depend on a remote connection?
Microsoft – “All your bases are belong to us”…..”pay up”.
I see you haven’t taken my course on how to properly transform your file server into the cloud. Yes, if you just try to move files as is from on-prem you will have a mess on your hands. Fortunately, we have several different types of cloud repositories to choose from, and if you really want to keep an on-prem server or NAS for some archive/legacy stuff, knock yourself out. But that has no bearing on joining PCs to Azure AD (which is what you should do 99% of the time, regardless of what else you choose to do).
Thanks Alex – loving the content, keep it coming!
One of the issues we had when moving away from on-prem/hybrid to pure AAD were the password configuration/enforcement policies didn’t allow us to mandate a passphrase, despite Microsoft’s current best practice recommending passphrases without expiry (as I understand it). We requested our users create a long password, but we couldn’t require it – who knows how many paid any attention to our request. Have you found a way to enforce long passwords in AAD without needing the usual 3 of 4 complexity requirements? I’m told it’s not possible in AAD at the moment….
How does this affect now going to
ENTRA, just a question ? How does this affect non hybrid with using Windows hello for business. I followed your advice and yes hybrid joined with windows hello is troublesome at the least. Any suggestions?
Windows Hello is easy-peasy for Azure AD joined devices (non-hybrid, just joined straight to the cloud). Just turn it on right in the Intune portal by assigning an account protection profile.