I'm looking for guidance on how to transition laptops that are currently AzureAD joined to a hybrid domain setup. We have some functionalities that are only available in a hybrid setting, so it's essential to make this switch without wiping the devices. I'm tasked with this for about 100 laptops, so any insights or methods you've used would be greatly appreciated. Thanks!
5 Answers
Honestly, there must be a more efficient solution for whatever challenge you’re facing that doesn't strictly require domain-joined devices. Have you thought about alternative configurations?
What specific functionalities are you unable to access? I’m curious what requires a hybrid join. For our setup, just using Cloud Kerberos was sufficient for all our on-prem resources, including printers and file shares.
Unfortunately, there's no straightforward way to convert Azure AD joined devices directly to Hybrid joined without a domain join, which disrupts the existing Azure-only trust. Most organizations go through the process of unjoining from Entra, joining the on-prem domain, and then allowing Hybrid registration to re-establish through GPO/AD Connect. This approach can keep user data intact, but be prepared for some profile issues and additional cleanup. It's a good idea to double-check what specific on-prem features you’re missing because often, hybrid requirements can be resolved with Kerberos cloud trust or adjustments on the app level. If you really need to do domain joining, it’s manageable for 100 laptops, but I recommend piloting on 1 or 2 devices first to see what issues arise.
Have you considered using Kerberos tokens with your AzureAD devices? This can sometimes give you single sign-on (SSO) for various on-prem resources without needing a full hybrid join. It might be worth looking into! [Check this link for more info](https://docs.microsoft.com/en-us/microsoft-365/business/access-resources?view=o365-worldwide).
It's technically feasible to allow Azure join machines to authenticate with domain resources using certificates, but setting up a Public Key Infrastructure (PKI) for that involves quite a bit of work.
We're mainly having issues accessing some legacy applications and network resources that seem to only work with hybrid joins. I'll definitely look into Cloud Kerberos as a potential solution!