Last updated on September 26th, 2022 at 10:30 am
As organizations continue to expand their remote workforces, those refusing to adopt modern cloud solutions are neglecting tools that enhance mobility and productivity. They’re also putting corporate data at higher risk of compromise by not taking advantage of modern cloud security solutions. It wasn’t that long ago where nearly all employees were reporting to an office, and business IT infrastructure was in-house, or in a datacenter. Smaller companies usually had one main location with their servers and storage, and larger companies had several locations using MPLS to interconnect numerous offices and/or datacenters with low latency connections. However, these traditional solutions were geared towards most work being performed in a corporate office, not remotely.
With the push for remote work over the last few years, it’s become easier for organizations to decentralize their resources and move to SaaS and other cloud-based solutions. This transition has been easier for smaller businesses who don’t have many business applications, and aren’t reliant on legacy client/server applications. Regardless of the circumstances, those who were brave enough eliminate their server footprint and move to pure SaaS solutions are far ahead of their competitors from the standpoint of user mobility, device management, and security. In addition to SaaS solutions, there are also IaaS and PaaS solutions to move traditional server workloads to the cloud, making them more secure and remote worker friendly. However, we won’t be focusing on those solutions in this article. Instead, we will focus primarily on user endpoint devices (Desktops/Laptops and mobile devices), Azure Active Directory, and MEM (Microsoft Endpoint Manager). Azure AD and MEM are modern cloud solutions built to manage and secure corporate devices and data, regardless of where users are working.
Traditional models used desktops and laptops located primarily in an office to access resources, also usually located in the office. With a remote workforce, your users and devices are decentralized, making them a primary weakness for your business data. Now, more than ever, businesses need solutions to secure and manage remote users and devices. Keeping company data secure while still allowing for a remote-worker friendly experience is a challenge many businesses don’t know how to deal with. Sometimes it’s not 100% achievable in the short term, but planning the proper solution from the beginning is the most important step. Without going deep into technical details, here is a quick list of immediate benefits if a business goes full SaaS solutions, and embraces Azure AD and Microsoft Endpoint Manager for identity and device management:
- No servers to patch, maintain, or backup.
- Less IT overhead since there are no on-premises servers to maintain
- No need for client VPN back to an office since resources are all SaaS and cloud based. Users can work anywhere with an internet connection.
- Centralized remote device management with Azure AD & Microsoft Intune
- Autopilot for automatic provisioning of remote devices (i.e. – ship device to a user new in box, and the device provisions itself)
- Additional security controls, such as conditional access and risky sign-ins to protect corporate data
- Remote device patching and application deployments with Microsoft Intune
- Mobile Application Management for secure access to company data on non-corporate owned mobile devices (if you aren’t familiar with MAM, see my post here)
- Device encryption with decryption keys stored off-site in Azure AD
- Remote wipe capabilities for lost or stolen devices
None of the mentioned benefits are 100% achievable with the traditional IT model of business applications and data and user authentication being located on-premises. Many IT professionals will argue that on-premises Active Directory with Group Policy can do some of the same things if you use a hybrid cloud model. This is mostly true, but to integrate Azure AD with AD, we need to use Azure AD Connect. AD Connect is a great tool, but if you’re using it, you still have on-prem servers to maintain and manage, adding to your administrative overhead and overall infrastructure complexity. So, as a CIO or IT director, you need to look closely at your on-prem workloads and get answers to some important question: Who is using these workloads? Are you maintaining servers for a department of only a few people that use an application? Can these applications be moved to a web-based SaaS solution? Do the applications use Active Directory authentication? Is anything using LDAP queries? Is Active Directory machine authentication being used anywhere? These are some questions that need to be answered to plan what your future model should look like. When considering eliminating Active Directory and moving to pure Azure AD for identity and device management, your outcome will probably end up in one of the three options below:
Option 1 – Serverless environment with SaaS cloud-based resources
You’ve identified that your on-prem workloads can be moved to SaaS cloud solutions. In this case, you have no need for servers. For example, you’ll migrate QuickBooks to QuickBooks Online, your estimating software has web-based solution you can migrate to, and you’re file shares will be migrated to SharePoint online. All user, device, and application management will be handled by Microsoft Azure AD & Endpoint Manager. Devices will be Azure AD joined and Intune managed. Option 1 is the clear choice if you can go that route, but not all businesses can go with Option 1. If you’re still a young business, or you’re planning to start a business, you should be basing your IT Strategy off Option 1. The downside to this option, is moving devices from Active Directory domain joined to Azure AD joined requires some additional work. However, once you make the move, your business is poised for a much more efficient, secure, and scalable endpoint and identity management solution.
Option 2 – Some Servers, Maintain AD, but Endpoint devices are Cloud Managed.
In this situation, you have certain workloads that cannot be migrated from a traditional server environment, and there is still reliance on Active Directory. For example, you may have an ERP system installed on a server that uses AD Authentication and has no SaaS or hosted solution available (these workloads can still be moved to Microsoft Azure PaaS/IaaS solutions so they’re not on-premises!). Because of this, you are stuck having to keep Active Directory and your ERP servers around (at least for the near future). In this situation, most people immediately think to use Hybrid Azure AD Join. Sure, you can do that, but you probably don’t need to (I’ll explain more in detail later on). The better solution here, is to confirm machine authentication is not being used for anything (it rarely is) and use Azure AD Join for the endpoints, while maintaining Active Directory and Azure AD connect for synchronization of user identities to Azure AD. More on this later also, because synchronized user identities have magic built in, allowing SSO to on-premises resources from Azure AD Joined devices.
Option 3 – Some Servers, Maintain AD. Solutions are still reliant on AD/GPO, Machine Auth, and/or other on-premises solutions:
This is the only real situation where Hybrid Azure AD Join is necessary. In this situation, you’ll maintain a traditional server footprint (whether it be physical or cloud-based IaaS), Active Directory, leverage Azure AD Connect to synchronize user identities, and Hybrid Azure AD Join your endpoints. This is the most complex solution, but the only option in certain situations. This is often a solution for larger organizations and enterprises. You still get the benefits of endpoint manager and additional security solutions, such as conditional access, but you still have servers and workloads to maintain, adding to the complexity of the overall solution.
Hybrid Azure AD Join (HAADJ) vs AzureAD Join (AADJ)
When you are faced with Option 2 or 3, its important to understand what HAADJ is and how it differs from AADJ. They both say Azure AD Join, so they’re the same when it comes to being joined to Azure AD, right? No, let’s take a closer look. When a device is Hybrid Azure AD Joined, its really not “joined” to Azure AD. The name is deceiving. A HHADJ device is still domain joined to Active Directory, but via AD connect, the device also gets registered to Azure AD. Users log in with domain credentials and authenticate through the domain (or with cached domain credentials if they are off-site). If these devices are still reliant on group policy, they will need periodic line-of-sight to a domain controller. So, these devices should be using a client or point-to-site VPN at least periodically for group policy updates. If a device is Azure AD Joined, it’s joined to the corporate cloud-based Azure AD. Users authenticate with their Azure AD account, and all authentication occurs in Azure AD.
So, a hybrid “joined” device is essentially just an Active Directory joined device with a device registration in Azure AD. Hybrid Joined devices can still be enrolled with Intune and benefit from the set of features available in Microsoft Endpoint Manager. There’s just more complexity, moving parts, and things remember. For example, if you use autopilot for your HAADJ devices, your users need line-of-sight to a domain controller for the initial login. Otherwise, they’ll have no cached credentials and won’t be able to sign into their device off-site. There are ways around this with always-on VPN, but that’s one more thing to configure and maintain.
Surely there is an easy way to migrate devices from HHADJ to AADJ, right?
The short answer is no. This is a big reason why I am writing this. Too often, organizations go straight to HAADJ thinking that’s what they should do if they use Active Directory (or they’re too scared to ditch it). Remember, hybrid joined devices are really still domain joined devices. User profiles on those devices will be under the SID of the domain user object. If you want to convert a HAADJ device to AADJ, you need to do it manually, or wipe & Autopilot the device. In either case, the user will receive a new user profile once the device is an AADJ device. You can try solutions like profwiz to make this a little easier, but there is still manual work involved.
But I have on prem resources like file shares and software that uses AD auth, so I need to be Hybrid joined, right?
Probably not. In the vast majority of cases, the computer object being used does not need to be AD joined for users to access on prem resources. This goes back to the questions we asked earlier. Unless AD machine authentication is being used for something, the device can be AADJ and still access on-prem resources with SSO if the user signing in is synchronized with Azure AD Connect. This is important to understand. If you have users who occasionally go into the office, their devices can be AADJ, and they’ll still have access to the on-prem resources when they are in the office without additional authentication. Things GPOs are traditionally used for, like mapped drives and printer deployments, can be deployed with Intune. Additional details on how SSO to on-premises resources works with Azure AD joined devices can be found here.
Basically, don’t Hybrid Join your devices unless you need to!
Now that you have a better understanding of the options when it comes to modernizing the management of your endpoints, you can plan more appropriately. Start with option 1 and move down to option 2 and then 3 if you need to. Because of the difficulty moving from Hybrid Azure AD Join to pure Azure AD Join, you should avoid HAADJ for any devices where it’s not required. If you are unsure – do a pilot group with several AADJ devices in your environment to verify everything works properly. If only one department requires HAADJ, you can have a mix of HAADJ and AADJ devices. You can also be conservative with the migration if you want to. Grandfather all existing devices in as HAADJ devices, and migrate them in phases, or make all new devices AADJ moving forward, and slowly phase out the old HAADJ devices. Don’t tether your devices to Active Directory if you don’t need to. Lastly, don’t be afraid to get rid of your servers (if you can), and embrace modern cloud solutions. This is especially true for Endpoint Management. If you still have questions or are unsure on modern endpoint management solutions, contact a cloud professional to assist.