4 modes of Microsoft domain to device relationships: the differences and the capabilities of AD joined, Azure AD joined, Hybrid Joined and Azure AD registered devices.
AD Joined: devices joined to On-Premises Active Directory
AD Joined devices are connected to and managed by an on-premises Active Directory (AD) domain controller in a traditional Active Directory domain.
Users log in using AD credentials, and policies. Security configuration elements are primarily managed through Group Policy Objects (GPOs).
These devices are typically used in on-premises environments where the organization’s IT infrastructure relies on Active Directory for authentication and device policy management. Azure IaaS could be configured as an AD site as part of a classic AD architecture.
AD Joined devices have limited connectivity to cloud-based services.
AD joined device capabilities and security configuration
Device capabilities and policy application:
· Device policies are enforced from on-prem Active Directory GPOs (Group Policy Objects)
· Device account resides in on-prem Active Directory
· On-prem AD only can be used to process a user logon and hold the identity
· Device would have had to log on to on-prem AD and process GPOs
· No GPO application limitations as long as they are compatible with the OS of the device and device is on-prem AD joined and not a workgroup member
· Can be Intune managed, but will require deployment of an Intune connector
· Devices can also be managed by SCCM, SCCM management agent and enrollment required
· Device account policies will be inherited from on-prem Active directory
· User account policies will be inherited from on-prem Active directory
· Conditional Access policies are not applied based on device specifics
· Not a subject to Intune device compliance policies and rules
· SSO capable – Single Sign on is available and is configurable through Azure AD connect
Azure AD Joined: devices joined to Azure Active Directory
Azure AD Joined devices are joined to and managed by Azure Active Directory (Azure AD), which is a cloud-based identity and access management service from Microsoft. Soon to become Microsoft Entra ID.
Users log in using their Azure AD credentials and identity. Device Identity also lives in Azure AD and device management and settings are controlled through Microsoft Intune (or other MDM solutions integrated with Azure AD).
Azure AD Joined devices are commonly used in modern workplaces with a cloud-first approach, where users access cloud-based services and resources and devices have better integration with cloud services.
Azure AD Joined devices capabilities and scurity configuration
Device capabilities and policy application:
· Device policies are enforced from User and Device policy In Intune and Azure Security Center
· Device account resides in Azure Active Directory
· Azure AD only identity can be used to process a user logon
· GPOs are not used for policy enforcement
· Intune or Endpoint Manager is the device management point
· Devices can be managed by on-premise SCCM, HTTPS-enabled management point required
· Conditional Access policies are available for the device and user
· Device and User security is achieved via Azure policy, Intune device compliance policies, security policies and rules
· SSO – Single Sign on capable from an Azure AD joined device
Hybrid Azure AD Joined: devices that are On-Premise Active Directory and Azure Active Directory joined in a “hybrid mode”
Hybrid Azure AD Join allows on-premises Active Directory-joined devices to be registered in Azure AD. This means the devices maintain a connection to the on-premises Active Directory infrastructure (via domain-join) and are also registered with Azure AD. This configuration provides a seamless experience for users who can sign in with their on-premises AD credentials and access cloud resources using Azure AD credentials.
Hybrid devices are a combination of on-premises AD Joined and Azure AD Joined devices.
These devices are first joined to an on-premises AD domain controller (AD Joined), and then a registered with Azure AD to extend the identity into Azure AD.
Users can log in using either their on-premises AD credentials or their Azure AD credentials, depending on the configuration.
Hybrid devices are used when organizations want to maintain their existing on-premises AD infrastructure while also benefiting from a limited set of cloud-based capabilities of Azure AD and Intune. Periodic connection of the device to on-prem AD is required. AD site could be extended into Azure IaaS.
This approach enables a gradual migration from on-premises management to cloud-based management.
Hybrid Azure AD joined device capabilities and security configuration
Device capabilities and policy application for Hybrid Devices:
· Device policies are enforced from on-prem Active Directory GPOs (Group Policy Objects)
· Device account resides in on-prem Active Directory
· On-prem AD is used to process the user logon, periodic logon to the Domain is required
· There are specific GPO elements that cannot apply to hybrid joined devices
· Devices can be Intune co-managed with some limitations of management capabilities, Intune enrollment required
· Devices can also be managed by SCCM, management agent and enrollment required; HTTPS-enabled management point required if the device is connection outside of the org network
· Device account policies will be inherited from on-prem Active directory
· User account policies will be inherited based on where the user identity resides
· Azure AD only user account will have significant limitations when logging on to hybrid devices
· A limited set of Conditional Access policies is available for hybrid devices depending on the identity of the user that is logging on, as in On-prem AD identity synced to Azure AD VS. Azure AD user identity
· Intune device compliance policies and security rules are enforced based on device management point validation
· A limited set of Conditional Access policies is available to hybrid-joined devices
· SSO capable – Single Sign on is available to on-prem and Azure services
Azure AD Registered: Workgroup or On-Premises AD Domain-Joined Device that are registered with Azure Active Directory
An on-premises domain-joined device or disjoined devices can be Azure AD registered. This means the device is connected to the on-premises Active Directory, disjoined and also registered with Azure AD. This configuration is best suited for BYOD (Bring Your Own Device) devices that want to leverage cloud-based features and services provided by Azure AD.
Azure AD registered device capabilities and security configuration
Device capabilities and policy application:
- Device policies are enforced from on-prem Active Directory GPOs (Group Policy Objects)
- Device account resides in on-prem Active Directory or not joined to a domain
- On-prem AD only identity or a local user account on device used to process a user logon to the device
- AzureAD account is used to log on to AzureAD to access cloud based services
- On-prem GPOs are in effect if the user processes a domain logon on the device
- No GPO application limitations as long as they are compatible with the OS of the device and device is on-prem AD joined and not a workgroup member
- A limited subset of Intune management capabilities is available, user must consent, devices are treated as personal devices that are Intune registered
- Devices can also be managed by SCCM, SCCM management agent and enrollment required, on-prem domain join required
- Device account policies will be inherited from on-prem Active directory
- User account policies will be inherited from on-prem Active directory
- A limited set of Conditional Access policies is available for Azure AD registered devices; device must be Intune enrolled
- A limited set of Intune device compliance policies and security rules are enforced if device is registered successfully with Intune, user consent required
- SSO capable – Single Sign on is available to cloud resources
