question

Elmi06 avatar image
0 Votes"
Elmi06 asked saldana-msft edited

Change Azure AD joined to Hybrid Joined Device

Hello, Guys

In my environment we have set in AD connected Azure AD Joined devices, we also have Pass hash Sync, now we want to get config some conditional access but it need to be state Hybrid Joined.

The devices has Azure AD joined, how can we migrate to Hybrid Joined, without impact users, we need to change in AD connect in that it?

mem-intune-enrollmentmem-intune-admin-center
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

EswarKoneti-MVP avatar image
1 Vote"
EswarKoneti-MVP answered

For devices that are purely AAD joined cannot be changed to hybrid-AAD unless you use auto-pilot with hybrid AAD join profile or manually join the devices to on-prem domain.
The hybrid azure AD joined refers to a device joined to on-prem domain+ joined to AAD.
For conditional access, the hybrid AAD is not mandatory, you can use other options to configure the in conditional access such as device compliant state (if have intune enrolled and compliant).

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jason-MSFT avatar image
1 Vote"
Jason-MSFT answered EswarKoneti-MVP commented
  • to Eswar's answers.

To summarize:
- You can't directly convert.
- You don't want or need to convert for conditional access.

The requirement for conditional access is for the system and user to have an Azure AD identity. This is perfectly fulfilled when a device is full Azure AD joined.



· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

The requirement for conditional access is for the system and user to have an Azure AD identity. This is perfectly fulfilled when a device is full Azure AD joined.


Azure AD Joined devices can be personal devices as well, right?

I have created a conditional access policy for a specific app that I don't want the users to open on a personal device. As a condition I checked the Hybrid AAD option. But when I try to open the app on my company machine which is a Ad joined and Azure AD Registered device, I'm blocked..

Is there any way to block certain enterprise applications from Azure AD Registered devices?

0 Votes 0 ·

Yes. Use a compliance policy in Intune and in your conditional access policy require that the device is compliant.

0 Votes 0 ·

AAD joined devices can also be personal but it depends on how you allow the devices to be enrolled.
you can create a enrollment restrictions to block the personal windows devices. https://docs.microsoft.com/en-us/mem/intune/enrollment/enrollment-restrictions-set

For the conditional access, you can select Under Access controls > Grant, select Require device to be marked as compliant.
If you want to block the AAD registered devices, you can create a block policy with conditions, device state, configure, exclude hybrid AAD and compliant. So any device that is not hybrid AAD or AAD compliant will be blocked.

Regards,
Eswar
www.eskonr.com
If the response is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·

Now I understand the construction

The problem is that a lot of those personal machines (with machine-name "DESKTOP-xxxx") are in some way AAD Registered and not AAD Joined?

Could be a config error that was made when setting up AD Connect but now I'm unable to distinguish company owned machines with personal machines...

Is there any way to change that? Preferably without any problems for the home users?

0 Votes 0 ·
Show more comments
CiciWu-MSFT avatar image
0 Votes"
CiciWu-MSFT answered
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.