In late June I was approached to record some short technical overview videos on Microsoft 365 Business, and now that they are recorded and published, it’s time to review them, and provide some additional resources and any important updates since the content was created. This is the fourth video in the series, the focus is on hybrid identity with Active Directory (AD) with Azure Active Directory (AAD).
Hybrid AD scenarios are going to be important for some environments for an extended time period, and for many provides a higher comfort factor as they extend their current skills and environments with cloud technologies. Even if you think it’s going to be a long time before your organisation can go all in on the cloud, I would still recommend creating some cloud only users moving forward.
What type of roles and users are good for cloud only identity? A user that spends all of their time working remotely, and not connecting back to the on-premises network is a good candidate. Why create and manage an AD user identity if they only need an AAD identity in order to access online services and do their job? The main reason I encounter is tradition, it’s the way it’s been done for many years, and maybe cloud only hasn’t been considered just yet. If you’ve got seasonal staff or other short term employees, they might also be good candidates.
For most SMB customers, the go to recommendation when it comes to hybrid identity will be to use Azure Active Directory Connect (AADC) with Password Hash Synchronisation and enable seamless sign on. In the video I mention that this is the easiest option and has the lowest overhead, but if you identify a requirement that it can’t meet, take a look at Pass Through Authentication , and then Active Directory Federation Services. As you move through this list, the resources and setup requirements increase dramatically in the required when planning highly available deployments.
When setting up your hybrid environment, you need to consider if you will be hybrid joining your existing Windows devices. Over on the Microsoft Tech Community, Ashanka Iddya has just posted Microsoft 365 Business Supports On-premises Active Directory which covers some of the topics she covered at Inspire, with some additional resource links to check out. The guidance that is provided in the post includes the following
- Azure AD Joined Device configuration is the preferred path for non-domain joined devices
- Hybrid Azure AD Joined Device configuration is the preferred path for existing domain joined devices
- Always consider the Azure AD Joined Device configuration first
- Consider using both: Hybrid Azure AD Joined Device config for existing domain devices and Azure AD Joined Device config for new devices or device refresh
This complements what I was saying about how to approach cloud vs hybrid identity for different user types, but in this case it’s how to approach it for devices. If you’ve got existing Group Policy requirements that you can’t meet managing Windows 10 MDM via Intune, or if you are working through that mapping process, then the Hybrid Azure AD Joined Device option gives you the option of AD joined, but also enrolled in AAD and potentially Intune as well, so identity and management elements from the cloud can work alongside what you’ve got.
This is obviously the tip of the iceberg for this conversation, but hopefully the resources that I’ve linked to will help fill in some of the gaps, otherwise, post a comment and I’ll get back to you.
You can check out the other posts in this series below