It has finally arrived, and while writing this we are hopefully getting close to a general availability release. I’m talking about the Azure AD joined Windows 365 machines!
This is something that makes this solution a truly cloud-based solution since we can now let go of the on-premises AD for the device part (let’s face it, we still have our users in there in the real world).
However, there are still use cases for both scenarios, depending on what your want’s and need’s are! So there is a decision to make here, and it might be that you need both!
The difference
Let’s start of by briefly looking at what the difference between Azure AD joined and hybrid joined is, and I’ll simply A LOT now.
Having a Azure AD joined computer means that the device is only registered to the Azure AD, which is your cloud AD so to speak. This AD is a lot different than your traditional AD since you are missing things like OUs and GPOs for example. The cloud relies on a flatter and different approach to handling objects and settings. I’ve once gotten Azure AD explained to me once as one big AD forest where each tenant is an OU, just to put it in perspective. Joining a computer only to Azure AD also means that there will be NO trace of the computer object in the on-premise AD, hence we cannot use the computer object to authenticate towards things but you can still use e.g. Kerberos for SSO.
If you join your computer to the Azure AD you would typically manage it from Microsoft Intune.
Having a Hybrid Azure AD joined computer means that we join the computer to both the on-premise AD and the Azure AD. One could say you get the best out of both worlds. That is to some extent true, but you are still very reliant on your computer talking to a domain controller to get policy updates, since you would in many case manage these computers with GPOs.
Hybrid Azure AD joined devices are typically co-managed by Configuration Manager and Microsoft Intune. But you can of course manage them using only Microsoft Intune as well.
With that said, it comes down to your tools and needs in what approach is best for your Cloud PC.
Advantages hybrid Azure AD joined Cloud PC
So one of the biggest advantage with hybrid Azure AD joined Cloud PCs are that you know this already and most likely this is how you manage your physical PCs today. You have them hybrid joined, manage them with some GPOs, maybe some Intune policies and you also add some Config Manager stuff on top. Nothing strange here, this is just another computer but is virtual. You still need the Microsoft Endpoint Manager admin center to configure your Cloud PC provisioning, but the rest is like you know by heart. A setup you know, love, and trust!
Using hybrid join is also great for those applications requiring a computer object to be present in the AD for authentication or such. Or it could just be as simple that you need “system” to be able to access a file share. Then this is perfect!
Hybrid joined Cloud PCs are no different from your regular PCs in that sense, they are just physically in the Microsoft datacenter.
BUT by using hybrid joined Cloud PCs you still have great dependency towards your on-premise infrastructure.
Advantages Azure AD joined Cloud PC
The benefits with the Azure AD joined Cloud PC can be argued to be the exact opposites as the hybrid join. No GPOs, no ConfigMgr, no hybrid. No legacy stuff. Just cloud.
However, I would say that that’s not where the strength lies with Azure AD joined Cloud PC. The strength that I’ve seen when you combine this with thinking about where these computers should be hosted. With Azure AD joined you can either host them on a Azure VNet you manage, or you can choose to use the Microsoft managed VNet which is basically on internet.
Hybrid joined Cloud PCs can only be hosted on a Azure VNet in your subscription, which is great! You are in full control of the traffic flows and can put them on the corporate network if you like. This also goes for Azure AD joined.
Azure AD joined Cloud PCs are similar to having a “cloud only” physical client. You manage it with only cloud tools and you shouldn’t have o big dependencies towards on-premise services. You will manage it from Microsoft Intune and GPOs are now a thing of the past.
For many organizations, this is a journey. Moving to cloud based management is a journey which many are on. Utilizing Windows 365 Cloud PC to get going could be a great place to start, since your users will then potentially have both of your two worlds!
Conclusion
Choosing one or the other comes down to what your needs are, and how you would like to manage your devices.
If you are yet not on your road to Azure AD only devices, well then you will probably need the hybrid joined version for the time being. But like I said earlier, you can of course have both and transition over.
If you have a group of users who only need access to e.g. SaaS based applications, then what’s the point in putting them “behind the firewall”? There are so many scenarios for which you can say the one or the other is the best, but what’s best for you might not be the best for someone else.
I personally is a firm believer and advocate for going cloud only for device management so I always try to challenge to see how far you can take it. It’s usually further than you would think. Same goes for Windows 365, make use of the fact that it’s a cloud service and native to Microsoft Endpoint Manager by going Azure AD only. You can still put the device on “corp-net” using Azure VNets, but skip the on-premise AD stuff.
Adding Azure AD joined will increase the scenarios, and it’s actually a lot easier to get started with Azure AD only then involving on-premise AD, which in an IT organization often means that you need the identity team to help you to some extent.
If you want to get started with cloud management for devices, looking at setting up Azure AD join for Cloud PCs and manage them through Microsoft Endpoint Manager is a great place to start!
