The Pros and Cons of Hybrid Azure AD Join

Synchronizing device objects to the cloud unlocks several cloud-enabled security features.

Published: Jan 02, 2025

Windows 11 2022 Update

SHARE ARTICLE

What are the benefits of a Hybrid Azure AD (Microsoft Entra ID) Join? I hear this question a lot; especially since I’ve published many videos referring to Hybrid Azure AD joins as a bad idea. Synchronizing existing on-premises Active Directory (AD) devices to Entra ID is beneficial, but for new devices, leveraging the security and flexibility of cloud-native solutions is preferred. Let’s find out why.

What is Hybrid Azure AD?

First, let me briefly cover what Hybrid Active Directory is, in this context. Hybrid AD is a common name for the something called Hybrid Microsoft Entra ID joined Windows devices. Microsoft Entra ID, of course, is the new name for Azure Active Directory. So:

Hybrid AD = Hybrid Azure Active Directory join = Hybrid Microsoft Entra join.

Simple, right?

Names aside, actually it is quite simple. A device that is joined to an on-premises Active Directory domain and synchronized to Microsoft Entra is a ‘Hybrid Joined device’. The device has an object in the on-premises AD domain, and a corresponding synchronized object in the Microsoft Entra ID tenant.

Note, however, that we’re specifically talking about computers, here, not people or user identities. This is vital to highlight, because it’s entirely possible (and very common) for an organization to leverage the benefits of Hybrid User Identities, without using Hybrid Microsoft Entra joined devices.

Benefits of Hybrid Azure AD?

There are many benefits to synchronizing on-premises AD devices to the cloud. Most of them are related to the fact that synchronizing device objects to the cloud unlocks several cloud-enabled security features that make accessing and using Microsoft cloud services easier and more secure.

When you syncrhonize a device, features such as:

become available, leveraging the device’s object in the cloud to enable additional capabilities.

How is Hybrid Azure AD enabled?

Enabling Hybrid Microsoft Entra join is relatively easy. In fact, most organizations have the required ‘Entra ID Connect’ solution in place already, as this is used to synchronize User identities to enable Office 365 email.

It’s simply a case of ticking the button to enable device synchronization when configuring (or reconfiguring) Entra ID Connect, and creating a ‘Service Connection Point’ for devices to use when attempting to discover the Entra tenant information for your organization.

Configure a Service Connection Point (SCP) to enable devices the benefits of hybrid Azure AD join
Configure a Service Connection Point (SCP) to enable devices the benefits of hybrid Azure AD join (Image Credit: Microsoft)

Image credit: Microsoft – https://learn.microsoft.com/en-us/entra/identity/devices/how-to-hybrid-join

Why not to use Hybrid Azure AD?

So, if synchronizing on-premises devices to Entra ID unlocks many benefits, is relatively easy, and has no immediate downsides – why on earth did I publish a video calling it a mistake?

Once again, it’s all about context. The video I published was specifically referring to Hybrid Microsoft Entra join devices when considering Windows Autopilot. Windows Autopilot for Hybrid Microsoft Entra join devices is the process of using Windows Autopilot (the cloud provisioning platform for Windows devices) to build on-premises Active Directory devices that then synchronize to become Hybrid Microsoft Entra join devices. This is a bad idea.

It all comes down to where we start, and where we’re going

For example, if you have existing Windows devices joined to on-premises Active Directory, synchronizing them to the Entra so that they’re ‘Hybrid’ is a good move.

If, on the other-hand, you need to build new fresh devices and want to leverage the security, flexibility and speed benefits of Windows Autopilot, trying to synchronize them to your on-premises Active Directory is not a good move at all.

Ah but”, I hear you say, “we need on-premises Active Directory Joined Devices for (insert reason here)”.

  • If the ‘reason’ is actually valid for all devices and workloads (there’s a good chance it’s not, so you should actually check), then now is not a good time to be revolutionizing device builds with Windows Autopilot. Simply keep building devices the way you always have, until the ‘reason’ becomes no-longer valid.
    • A parallel school of thought is that if the ‘reason’ is only valid for a subset of users who rely on a specific app or service, then use the existing device provisioning approach for these users, and move the rest of the organization to Entra ‘cloud native’ devices.
  • If the ‘reason’ isn’t valid at all, then use the transition to Windows Autopilot as a kick-starter to Entra ‘cloud native’ devices.

Microsoft originally positioned Hybrid Azure Active Directory as a ‘bridge’ to move to ‘modern’ (now known as cloud native) device management. This analogy worked in theory, but there are now too many organizations that have made the transition to Hybrid Microsoft Entra join devices (so are in the middle of the bridge?) with no concrete plans to continue the journey to cloud native.

So much so, that they’re looking to streamline the current processes (like device builds) for the current state by trying to make Windows Autopilot work for hybrid devices.

I believe the reason for this stagnation is due to the cost of moving a device from Hybrid Microsoft Entra join devices to cloud native. The cost, according to Microsoft, is a full device reset. There is no Microsoft-supported method to migrate a Windows device from Hybrid to cloud-native without a full device reset.

This table from the Microsoft documentation gives a good summary of when to use Entra join vs. Hybrid Entra join in a given scenario.

ScenarioMicrosoft Entra join or Hybrid Microsoft Entra join
You’re provisioning new Windows endpoints✔️ Microsoft Entra join
You can use Hybrid Microsoft Entra Join for new endpoints, but it’s typically not recommended. When joined using Hybrid Microsoft Entra Join, you might not get to use the modern features built into Windows 10/11.
Hybrid Microsoft Entra join
You can use Hybrid Microsoft Entra Join for new endpoints, but it’s typically not recommended. When joined using Hybrid Microsoft Entra Join, you might not get to use the modern features built into Windows 10/11.
You have existing, previously provisioned Windows endpoints that are hybrid Microsoft Entra or AD joined✔️ Hybrid Microsoft Entra join
If you have existing endpoints that are joined to an on-premises AD domain (including hybrid Microsoft Entra joined), then hybrid Microsoft Entra join is recommended. Devices get a cloud identity and can use cloud services that require a cloud identity. For end users with existing endpoints, this option has minimal impact.
Microsoft Entra join
Existing devices joined to an on-premises AD domain (including hybrid Microsoft Entra joined) must be reset to become Microsoft Entra joined. If they can’t be reset, then there’s no supported Microsoft path to Microsoft Entra join them.
Table 1 – Entra join vs. Hybrid Entra join

Hybrid devices are here to stay for now, but only because many organizations aren’t prepared to invest time and resources into removing blockers to cloud native.

SHARE ARTICLE