Hybrid Azure AD joined devices
For more than a decade, many organizations have used the domain join to their on-premises Active Directory to enable:
- IT departments to manage work-owned devices from a central location.
- Users to sign in to their devices with their Active Directory work or school accounts.
Typically, organizations with an on-premises footprint rely on imaging methods to provision devices, and they often use Configuration Manager or group policy (GP) to manage them.
If your environment has an on-premises AD footprint and you also want benefit from the capabilities provided by Azure Active Directory, you can implement hybrid Azure AD joined devices. These devices, are devices that are joined to your on-premises Active Directory and registered with your Azure Active Directory.
|Hybrid Azure AD Join||Description|
|Definition||Joined to on-premises AD and Azure AD requiring organizational account to sign in to the device|
|Primary audience||Suitable for hybrid organizations with existing on-premises AD infrastructure|
|Applicable to all users in an organization|
|Operating Systems||Windows 10, 8.1 and 7|
|Windows Server 2008/R2, 2012/R2, 2016 and 2019|
|Provisioning||Windows 10, Windows Server 2016/2019|
|Domain join by IT and autojoin via Azure AD Connect or ADFS config|
|Domain join by Windows Autopilot and autojoin via Azure AD Connect or ADFS config|
|Windows 8.1, Windows 7, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 - Require MSI|
|Device sign in options||Organizational accounts using:|
|Windows Hello for Business for Win10|
|Device management||Group Policy|
|Configuration Manager standalone or co-management with Microsoft Intune|
|Key capabilities||SSO to both cloud and on-premises resources|
|Conditional Access through Domain join or through Intune if co-managed|
|Self-service Password Reset and Windows Hello PIN reset on lock screen|
|Enterprise State Roaming across devices|
Use Azure AD hybrid joined devices if:
- You have Win32 apps deployed to these devices that rely on Active Directory machine authentication.
- You want to continue to use Group Policy to manage device configuration.
- You want to continue to use existing imaging solutions to deploy and configure devices.
- You must support down-level Windows 7 and 8.1 devices in addition to Windows 10