Hey everyone, I'm considering rolling out Hybrid Entra device join after my team showed interest in the benefits of features like WHFB and Intune. However, since we're in a specialized industry, it's critical that we maintain our on-prem devices for specific connections. I've always been cautious about cloud adoption, especially regarding devices, and I'm worried about the impact on our on-prem domain when I initiate the device sync.
We've been using Entra ID Connect sync for Exchange Online and other M365 cloud services for over eight years without issues. My concerns revolve around the implications of enabling device sync and whether it could disrupt our on-prem setup, particularly our domain controllers.
Currently, I've set up a specific OU for testing, but my old sys admin instincts make me hesitant. Can anyone share how safe it is for the on-prem domain? Will the workstations in the specified OUs automatically register with Entra during their next query to Domain services once I hit the sync button? Also, what's the best way to safely revert changes if needed, and will user sync still work as expected? Just to note, all our endpoint workstations are running Windows 11 and I don't plan to sync OUs that include servers, since they are 2019 or newer. Thanks for any insights!
5 Answers
From what I know, the default setup for Entra device sync is one-way, meaning it primarily syncs to Entra without affecting your on-prem domain. You should be safe, especially since you've successfully connected other services for a while now. Just make sure you’re aware of the writeback options; that’s where you can run into issues if enabled inadvertently. But overall, it sounds like you’re in a good position to test it out!
Instead of worrying about the risks, I suggest testing a native one first! You’ll find that you can still access domain resources from non-domain machines within certain setups. If you go the hybrid route, remember it should only be a temporary solution while transitioning to fully Entra joined devices in the future.
If you want specialized advice, consider reaching out to forums dedicated to Intune. They often have great insights! Just so you know, if you’re using Autopilot for provisioning, avoid hybrid joins completely—best to go straight to a pure Entra setup when deploying new machines. And it’s always crucial to verify your UPN settings before diving in, since mismatches can lead to lots of issues. Good luck!
Thanks for the heads-up! I didn’t realize that. I’ll double-check those UPNs before doing anything.
A big advantage of hybrid join is enabling Single Sign-On (SSO) for Microsoft applications, which can be a huge benefit. If you’ve got users already hybrid joined, device joining shouldn’t cause issues for your apps. Just ensure all your UPNs align correctly between your AD and Entra ID to avoid any headaches.
Totally, SSO makes things much smoother! Just be cautious about UPNs—those do need to match up or it'll get messy.
I’ve seen hybrid join lead to complications due to misunderstandings about its necessity. In many cases, full Entra join might suffice for your use case without needing a hybrid setup at all. It’s worth exploring testing fully Entra joined machines to see if they can access your on-prem resources without issue. You might surprise yourself!
That’s a solid point; testing it out could save you some headaches down the road!
Exactly! Just keep in mind that as long as you keep the writeback option off, you should notice minimal risk. You've got this!