r/SysAdmin: Windows Hello for Business - Cloud Trust Guidance

💡
This article archives a conversation, which took place in a subreddit post (original source linked below) and to which I contributed a solution or answer (with the u/MasterofSynapse handle), in a Q&A format.

Original Reddit post: https://www.reddit.com/r/sysadmin/comments/wmn80f/windows_hello_for_business_cloud_trust_guidance/

Question

I have users working full time remote, hybrid, and full time onsite. Should I join my users computers as Azure joined, hybrid joined or both?

Answer

If all your applications are able to use the SSO mechanisms built into Azure AD, then always go AzureAD joined, since it's the modern technology.

If you have to retain connections to "legacy" software or file servers that don't do SAML, OpenID and the other good stuff, but instead rely on Kerberos and LDAP, you will have to do Hybrid Join to keep your users happy.

Just be informed that Hybrid Join is up there in difficulty and complexity, and you never have much fun to diagnose it since you essentially have to keep two IdPs in sync all the time, which, as you can imagine, is challenging.

Comment 1 on Answer

What do you mean keeping two Identity Providers in sync? Currently, I’m using Azure as my idp.

My response to comment 1

Well, Hybrid Join essentially means your computers are both Azure AD and AD joined, so two IdPs.

Yes, Azure AD Connect is usually well-behaved and syncs AD with Azure AD (and back, if you configure it) well, but when there are problems, you can and will have a config split between Azure AD and AD, which is not fun.

And to evaluate, since I reread your last sentence in your post, there is no both between Azure AD Join and Hybrid Join.

You can either do Azure AD Join, Hybrid Join or don't use the cloud at all and do a normal Domain Join with AD OnPrem.

The "Hybrid" in Hybrid Join means that Azure AD and AD get combined on one PC to access both worlds through SSO, cloud and OnPrem.


Comment 2 on Answer

I do have Azure AD Plan 1 licenses for my users, but not Intune. So is that means I would need to go with the Hybrid Joined?

My response to comment 2

Intune is recommended as the device management solution most compatible with AzureAD Join. It makes everything smoother, but is not a must-have without which you can't do pure AzureAD Join.

Comment 2.1 on Answer

If I want to push policies (Group Policies) to computers from Azure, I would need Intune license. Is that correct?

My response to comment 2.1

Almost, in the classic sense, GPOs won't exist anymore. Instead you have security and configuration profiles that cover most of the settings GPOs would. However Powershell Script deployment, software installs etc. are in completely different places.

Microsoft is growing the config possibilities you can achieve with Intune, but we do not yet have a 100% GPO replacement, some things you can't just do (easily) yet.