I've been diving into Entra Joined machines and I'm a bit puzzled about why I should move away from my local Domain Controllers (DCs), which are also handling DNS and DHCP, to a cloud-based domain controller with Entra. I get that there's some advantage, but I'm thinking DCs are still necessary if I have on-prem servers since, as far as I know, you can't currently join servers to Entra. Plus, I would need to deal with relocating my DNS and DHCP servers across different sites. I'm looking for a sanity check on this; I feel like sticking with Hybrid makes more sense for me right now. I'm having trouble finding solid documentation comparing when to use hybrid versus full Entra join. Most sources just say to drop Hybrid, without much explanation. Any advice would be appreciated! My setup includes several physical locations with both physical and virtual DCs at most sites, along with multiple servers in each location. We have some resources in the cloud, but I don't think it suits the majority of our needs, especially for large files that require quick access.
5 Answers
We opted for Entra Join mainly due to Autopilot. It's way simpler to buy a laptop, send it directly to remote employees, and have them just sign in and get everything set up. This works much better with Entra since Hybrid Join needs the domain to be available, which is a problem for employees working from home. Entra Joined devices can still authenticate to on-premise resources without issues thanks to Cloud Kerberos.
We had to use something like a VPN tunnel for our remote connections with Hybrid. It’s definitely doable!
Don't stress too much about a full migration if you're not ready. Hybrid works perfectly in your situation. You can run Entra alongside your Domain Joined machines as you gradually transition. Just keep your Entra Connect updated – that’s key!
Since you have multiple locations and a strong on-prem setup, it sounds like staying Hybrid is the best choice for you. You can still have both Entra Joined and Domain Joined machines working together as you transition.
Hybrid Join gives you the advantages of AD but needs a direct line of sight to the DC for logins and GPO processing. Autopilot can be more complex with Hybrid due to all the extra requirements, while Entra Join only needs internet access, making it less prone to failure. Just keep in mind, managing certain things in Intune can be trickier than in GPO, like registry keys.
From a security standpoint, Entra Joined devices can help guard against lateral movements in case of a breach on your local network. If you're contemplating a passwordless future, Entra is the way to go. They allow more advanced authentication methods that you might not get with Hybrid.
Totally agree! Understanding Cloud Trust is essential for Entra Joined devices to function effectively in various environments.