question

KetanC avatar image
0 Votes"
KetanC asked vipulsparsh-MSFT answered

On premises migration to AAD/Intune

Hi all

For a bit of practice on something I’ve never done/been exposed to before, I have set up a lab to try to simulate an on premises environment, which is to be migrated to Azure, utilising Intune and Autopilot for new/existing devices as appropriate. The VMs I have currently are:

1) Windows Server 2019 – Domain Controller
2) Windows Server 2019 – AD Connect Server, domain joined, configured with Express settings and connected to AAD
3) Windows 10 – Endpoint Machine 1, domain joined
4) Windows 10 – Endpoint Machine 2, domain joined

Both endpoint machines and the AD Connect Server are receiving test GPOs successfully, and AD Connect has synced and users/devices are visible in AAD.

I have logged in to the two endpoint machines using AD domain accounts for two different users, and have added their work/school accounts for them on each endpoint, resulting in each machine appearing in AAD as “Azure AD Registered”, along with the correct owner details.

I have tried to follow MS Docs guidance online, but am really struggling and got pretty confused; can someone talk me through the next steps required in order to configure the two endpoints (not the AD Connect or Domain Controller VMs) to be hybrid joined and manageable with Intune please?

I have tried this once before, by running the GPO to auto-join endpoints, but it ended up hybrid joining every device including the AD connect and domain controller VMs also, which both appeared in the device list, but with no owner information. Is this normal?
Thanks in advance!

azure-ad-hybrid-identity
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

vipulsparsh-MSFT avatar image
0 Votes"
vipulsparsh-MSFT answered

@KetanC Thanks for reaching out.

If you have a domain joined machine, then it is always advisable to make them hybrid Azure AD join in order to gain more features and bring in the Intune management capabilities.

Here is a nice tutorial to achieve that step by step : https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-managed-domains
Hybrid machines will not show any owners in AAD Devices page.

You should not be adding a work account manually by Adding work account option - this will make the device to get register as Azure AD register and when Azure AD connect syncs this device, it will create another entry for the synced one resulting in a dual state scenarios which causes many problem ahead.

If you already have devices manually while adding a work account on domain joined machines, you can follow this article to understand what will happen and how to get rid of this : https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan#handling-devices-with-azure-ad-registered-state

Feel free to write us back for any questions.



If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.






5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.