Help CenterMigrating devices from Entra Hybrid Join to Entra Join is an important step for organizations embracing a modern, cloud-first IT infrastructure. Starting with this configuration sets a strong foundation for security, scalability, and simplified management.
Since our initial engagement with Microsoft around Zero Trust security, we have decided to start with Entra Join instead of Hybrid Join, aligning with Microsoft's recently adjusted recommendations. Here’s why it’s beneficial to start with Entra Join for both new deployments and device refreshes, and how group policies should be managed during the transition.
1. Start with a Cloud-First Approach
Entra Join is designed for organizations moving towards a cloud-first model, reducing reliance on traditional on-premises infrastructure. This move ensures your environment is prepared for modern cloud management:
- Simplified Management: Entra Join allows you to manage devices entirely through the cloud, leveraging tools like Microsoft Intune for centralized configuration, policy enforcement, and monitoring. This eliminates the complexity of managing hybrid-joined devices that require both on-premises and cloud management.
- Scalability: By standardizing on Entra Join, organizations can scale their device management practices as they grow, without the need for extensive changes in infrastructure. This configuration provides a more straightforward path for new device provisioning, management, and updates.
2. Issues with Hybrid-Joined Devices
While Hybrid Join adds the PC to Azure AD and enables the use of conditional access and other controls, it also introduces several challenges, particularly for devices that do not consistently connect to a VPN or corporate network. Some of the most common issues include:
- Machine Account Password Changes: Hybrid-joined devices may face issues with machine account password rotations if they do not connect to the VPN regularly. This can lead to domain trust issues and require manual intervention.
- User Password Changes and Caching: When users change their Active Directory (AD) passwords, hybrid-joined devices may fail to cache the new credentials unless connected to the VPN. This can result in authentication issues, particularly for remote users who are not regularly connected to the corporate network.
- TPM Resets: Trusted Platform Module (TPM) resets may not properly sync with the domain if hybrid-joined devices do not have a secure connection to the on-premises network.
- Group Policy Updates: Devices that are hybrid-joined but not frequently connected to the VPN will not receive updated or new Group Policies (GPOs). This can result in outdated or incomplete policies being applied, which impacts security and compliance.
- AD Security Group Membership Changes: Hybrid-joined devices will not receive updates to AD security group memberships unless they regularly connect to the VPN, potentially restricting access to resources or applications.
- Certificates: Certificate issuance and renewal for hybrid-joined devices can be delayed if the device does not frequently connect to the corporate network, which can lead to authentication failures or service disruptions.
- Conflicts Between Intune and Group Policy Settings: Hybrid-joined devices are subject to management by both on-premises Group Policies and Intune policies. These dual management configurations can result in conflicts, where settings pushed by Intune may override or be overridden by Group Policy settings. This leads to inconsistencies, especially in security, device configurations, or compliance policies, making management more complex and increasing the risk of devices being misconfigured. Resolving such conflicts can be time-consuming for IT teams.
3. New Users and Devices
When deploying new devices and users, adopting Entra Join from the start is the best approach. This ensures a cloud-native device management setup that eliminates hybrid complexities. Key benefits include:
- Consistent Deployment: Using Entra Join with new devices ensures they are automatically enrolled in Microsoft Intune, where configuration profiles, security baselines, and policies can be uniformly applied.
- Future-Proofing: With the future of IT management leaning heavily into cloud services, beginning with Entra Join for new devices ensures you’re prepared to leverage ongoing improvements and features in Microsoft's cloud ecosystem.
4. Handling Device Refreshes
As devices are refreshed or re-assigned to new users, it’s crucial to migrate them from Entra Hybrid Join to Entra Join. Instead of carrying over legacy configurations from previous users, reprovisioning devices under Entra Join ensures they meet current standards for security and management.
- Reset and Re-enrollment: When a device is refreshed, reset it and re-enroll it into Entra Join through Microsoft Autopilot. This ensures that the device gets the latest security baselines and configuration policies from Intune.
- Consistency Across Devices: Reprovisioning refreshed devices ensures all users, regardless of device, operate under the same cloud-managed policies. This streamlines IT management, reducing the need for manual intervention.
5. Important Considerations Before Migrating to Entra Join
Before migrating from Entra Hybrid Join to Entra Join, ensure that no on-premises applications are relying on machine authentication. Additionally, pay attention to the configuration of certificates for connecting to Wi-Fi access points, especially when using RADIUS. RADIUS typically relies on the presence of an on-premises computer object for authentication. In this scenario, you can use certificates pushed via Intune or user credentials to authenticate to Wi-Fi as an alternative to the on-premises setup.
6. Moving Existing Devices to Entra Join
If managing devices with both Group Policy and Intune is proving challenging, you may want to consider moving existing devices from Entra Hybrid Join to Entra Join. This involves disconnecting devices from the local Active Directory and joining them to Entra ID. During this process, users will receive a new user profile. However, to mitigate disruptions and preserve continuity, you can use tools like ProfWiz to adjust the user profile, migrating their old local profile to the new Entra ID profile. This ensures that users maintain access to their familiar settings, files, and configurations, minimizing the impact of the transition.
7. Migrating Group Policies to Intune
A key part of transitioning from hybrid join to Entra Join is managing group policies. Migrating from traditional Group Policies to Intune-based policies is essential for maintaining consistent configurations while embracing a cloud-first management approach.
- Security Policies: Rather than migrating legacy security policies, it’s best to adopt Microsoft Security Baselines in Intune. These pre-configured templates are built around best practices for modern security management and ensure that devices comply with today’s standards.
- Configuration Settings: Any configuration settings in Group Policy should be migrated to Intune Configuration Profiles. These profiles replicate the functionality of Group Policy in a cloud-native environment, allowing for centralized and scalable device management.
- Scripts for Unsupported Settings: If certain settings are not yet supported in Intune, PowerShell or custom scripts can be deployed to enforce those configurations. Intune allows for the addition of scripts to fill gaps until full support is available.
- Policy Analysis with Group Policy Analytics: Before migrating, use tools like Group Policy Analytics in Intune to import and analyze existing GPOs. This will help you determine which policies can be recreated in Intune and which may no longer be relevant, enabling a more streamlined and efficient transition.
Conclusion
Migrating devices from Entra Hybrid Join to Entra Join, starting with new configurations, is the best path for a modern, cloud-first organization. This approach streamlines management through Intune, ensures scalability, and simplifies device deployment and refresh processes. By migrating configuration settings to Intune profiles and adopting security baselines, organizations can phase out legacy infrastructure while maintaining robust security and operational consistency across their device fleet. With Microsoft's updated recommendations and a Zero Trust security foundation, moving forward with Entra Join is the optimal strategy for a more secure and manageable future.
Transitioning away from hybrid join addresses common issues such as password rotations, policy updates, and connectivity-dependent security measures, ensuring your devices are fully equipped to operate in a cloud-first, modern management environment.