Hybrid Azure AD joined devices
Organizations with existing Active Directory implementations can benefit from some of the functionality provided by Azure Active Directory (Azure AD) by implementing hybrid Azure AD joined devices. These devices are joined to your on-premises Active Directory and registered with Azure Active Directory.
Hybrid Azure AD joined devices require network line of sight to your on-premises domain controllers periodically. Without this connection, devices become unusable. If this requirement is a concern, consider Azure AD joining your devices.
|Hybrid Azure AD Join||Description|
|Definition||Joined to on-premises AD and Azure AD requiring organizational account to sign in to the device|
|Primary audience||Suitable for hybrid organizations with existing on-premises AD infrastructure|
|Applicable to all users in an organization|
|Operating Systems||Windows 10, 8.1 and 7|
|Windows Server 2008/R2, 2012/R2, 2016 and 2019|
|Provisioning||Windows 10, Windows Server 2016/2019|
|Domain join by IT and autojoin via Azure AD Connect or ADFS config|
|Domain join by Windows Autopilot and autojoin via Azure AD Connect or ADFS config|
|Windows 8.1, Windows 7, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 - Require MSI|
|Device sign in options||Organizational accounts using:|
|Windows Hello for Business for Win10|
|Device management||Group Policy|
|Configuration Manager standalone or co-management with Microsoft Intune|
|Key capabilities||SSO to both cloud and on-premises resources|
|Conditional Access through Domain join or through Intune if co-managed|
|Self-service Password Reset and Windows Hello PIN reset on lock screen|
|Enterprise State Roaming across devices|
Use Azure AD hybrid joined devices if:
- You support down-level devices running Windows 7 and 8.1.
- You want to continue to use Group Policy to manage device configuration.
- You want to continue to use existing imaging solutions to deploy and configure devices.
- You have Win32 apps deployed to these devices that rely on Active Directory machine authentication.