I'm in the process of integrating my on-premises environment with Azure AD and could use some guidance from anyone with experience in this area. I have everything set up with my domain and tenant, and I'm comfortable with hard-matching a few test profiles. Now, I want to ensure that users can seamlessly log into their on-premises accounts as they do normally, but with the added benefit of single sign-on (SSO) on hybrid-joined workstations.
Right now, all workstations are registered, and I have some Intune-managed mobile devices. My main concern is about the device sync in Connect Sync — I want to avoid any issues where registered devices could get overwritten or broken during this process.
Can anyone provide insights on the process I should follow? I'm thinking it might look something like this:
1. Hard-match the user objects and let them sit for a week.
2. Configure the "hybrid Azure AD Join" in Connect Sync.
3. Set up the service connection point (SCP).
Should I hybrid join devices first? Also, will hybrid joining affect my entire OU structure, or can I control this to only a few workstations at a time? I want to maintain consistency in user profiles across the transition, especially since everyone is already using OneDrive effectively. Is there any risk in breaking user accounts or devices that would require me to back up 365 mailboxes and data before testing?
Thanks in advance for any shared experiences or advice!
2 Answers
Yeah, you’ve nailed it! Your endgame of integrating more with Azure makes a lot of sense. It sounds like you’re planning out a solid strategy since you have a limited team.
Once you’re fully integrated, transitioning to GCC-High is definitely a bigger step, but it sounds like you've got a plan. Just take it step by step, especially with so much to manage. Plus, a site-to-site connection with a DC in Azure could also be on the table later.
Best of luck with the matching and getting that SSO set up!
It sounds like your first goal is to match on-premise users with their cloud counterparts, then set up Seamless SSO. You’re on the right track! Hard or soft matching users and deploying the Seamless SSO GPO is typically low risk. Just know that user data shouldn’t get overwritten, and if a user account is deleted, it can be restored from the Entra recycle bin.
As for hybrid joining and device sync, that's mainly necessary for Intune management, so make sure you have a strong plan for that. What’s your thought process there?
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures