question

JohnQ-7759 avatar image
0 Votes"
JohnQ-7759 asked ·

Clarification on Hybrid AD joined computers? Do they no longer need to be on the on-prem network?

I have On-prem AD with Azure AD Connect already running. All our Windows 10 computers are joined to our on-prem AD and everyone logs in with their username/UPN and password.
Do I understand Hybrid join correct in that we can have, say 10 computers that are going to move to a remote office, join to Azure instead and no longer need to be on the same network as the on-prem AD, but the on-prem AD will still be the authoritative source for their login?
Will GPOs replicate to Azure and the computers will just sync everything like those policies over the internet? Is this an alternative to having a site to site VPN to a remote site for domain joined computers?

azure-active-directoryazure-ad-connectazure-ad-domain-servicesazure-ad-hybrid-identity
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

shashishailaj avatar image
0 Votes"
shashishailaj answered ·

Hello @JohnQ-7759 ,

Than you for your query . Please find the answer for the same.

  • Do I understand Hybrid join correct in that we can have, say 10 computers that are going to move to a remote office, join to Azure instead and no longer need to be on the same network as the on-prem AD, but the on-prem AD will still be the authoritative source for their login?

    Ans :- Yes Local AD will be source of login and they will be able to access applications published in your azure active directory as well. But if you are looking for them to access your on-premise File server which may be in your corp office location , they would not be able to access it until they have a direct network access to it.

  • Will GPOs replicate to Azure and the computers will just sync everything like those policies over the internet? Is this an alternative to having a site to site VPN to a remote site for domain joined computers?

    Ans :- No the GPOs will not replicate over to Azure and the computers will not be syncing those policies over the internet from Azure AD. However if you are trying to provide them with access to file servers which are located in your main office you will need to update The computers do need a line of sight DCs for the GPOs to be fetched and applied and you do require a site-to-site VPN for the domain joined computer. Alternatively you can use Intune to manage these computers if just managing the computers via GPO is your concern.

So would I need to disjoin them from my domain? and then re-join them to the Azure AD domain?

  • No , for hybrid Azure AD join , You do not need to disjoin them from local domain . You can keep them joined there and in addition to that they can hydrid join to Azure AD

I'm just wondering what the ramifications are if they remain joined to our on-prem domain but never again have a line of sight to our on-prem domain controller or VM domain controller through a tunnel.

  • If a machine is hybrid azure AD joined and then the user takes it away to some remote site where they don't have any local DC line-of-sight then the user will be able to work and access all of Azure Resources (i.e applications) but whenever the user changes passwords they need connectivity to line of sight DC for logging in first time while logging in with New Password. So at some point the user will need to come back to the on-premise location or have connectivity to local DC using VPN . For Password Changes , you will require line of sight DC except for a case where you use Windows Hello for business which requires additional setup on the on-premise environment before you can implement the same.

If they are disjoined will their on-prem AD credentials still serve to be their login via syncing to Azure? And if we have special granular password policies through our third-party software in on-prem Domain Controller we just direct their password reset to connect to VPN?

  • If you have 3rd party software for granular password policies, even then . The login will work for the user but as i mentioned during every password change you need to make sure the request goes to the on-prem DC via VPN and the new password is evaluated as per your third party software before the user can use it . Any logon to the system with new password will require connectivity to line of sight on-prem DC because the DC is authority of the password. If you have any of the licenses mentioned here then you can use password writeback . and even in this case for login after password change access to line of sight DC via VPN or direct network will be needed. The password change request will go to Azure and then it will contact the on-prem via Azure AD connect server and evaluate the password policies on-prem and if new password confirms policy then it will be set to on-prem environment . And within 2 mins of this , the password will be synced back to Azure AD using azure AD connect Password Sync if PHS is enabled.

I have linked some articles which have related information and I would suggest you check the same.

Hope that clarifies your doubts about Hybrid Azure AD joined Machines. In case the information provided helps you , please do mark this as answer so that its helpful to other community members. In case you have any further queries , please let us know and we will be happy to help you further.

Thank you.

· 5 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @shashishailaj ,

Thanks for reply. So would I need to disjoin them from my domain? and then re-join them to the Azure AD domain?
I'm just wondering what the ramifications are if they remain joined to our on-prem domain but never again have a line of sight to our on-prem domain controller or VM domain controller through a tunnel.
If they are disjoined will their on-prem AD credentials still serve to be their login via syncing to Azure? And f we have special granular password policies through our third-party software in on-prem Domain Controller we just direct their password reset to connect to VPN?

0 Votes 0 · ·

Hello @JohnQ-7759 ,

As comment section has 1000 char limitation , I have added the details within the answer itself. Please check the same and let me know in case you have any further queries and I will be happy to help. If the information provided in the answer is helpful , please do mark it as answer in the interest of other community members with similar questions.

Thank you.

0 Votes 0 · ·

@JohnQ-7759 I am just following up on this thread if you have had a chance to look into the above. In case you still have any questions , please do let us know and we will be happy to help . If the post does answer your query , please do mark it as answer so that it helps others in the community.

Thank you .

0 Votes 0 · ·

Hi @shashishailaj Thanks I really appreciate the feedback. I hate when people don't respond on forums, but we should always remember to respond to the responders as well.
Your information is helpful, and I'm ready to move forward with testing it all out in the real world and seeing what different things we may have to try in our environment.
Regards

0 Votes 0 · ·
Show more comments