Frequency Asked Questions
Answers to some commonly asked questions when first learning about Hybrid Azure AD Join.
What is Hybrid Azure AD Join?
Hybrid Azure AD Join (HAADJ) is a feature from Microsoft that allows you to register your devices with Microsoft Azure while still retaining your legacy trust with Active Directory. It allows for the continued use of applying GPOs while also giving you cloud-native features such as Single-Sign-On and Conditional Access.
What’s the difference between Hybrid Azure AD Join (HAADJ) and Azure AD Join (AADJ)?
Both Hybrid Azure AD Join and Azure AD Join registers your device with Azure AD. Hybrid Azure AD Join is for domain-tied devices that will continue to use the on-premise domain controllers for authentication and management (alongside Azure AD) rather than be purely cloud-based.
Do I need HAADJ if I wish to use Microsoft Endpoint Manager (Intune)?
For Hybrid Azure AD Join (HAADJ) devices, yes.
What changes will end users see once implemented?
Once joined, the only noticeable different from a user’s perspective will be that of their avatar when first signing in, as it will now be an image of a lanyard.
What benefits does Hybrid Azure AD Join provide me?
- Provides access to Azure AD’s Conditional Access features on devices.
- Moves you from Seamless SSO to Primary Refresh Tokens (PRT) which is a more cloud-native form of SSO (Single Sign-On).
- Self Service Password Reset (allows users to reset their domain credentials through Azure AD).
- First steps towards implementing Microsoft Endpoint Manager (Intune).
Can users change their domain password externally?
No. Authentication is still handled by the on-premise domain controller, however if Self Service Password Reset is configured, end-users will be able to reset their domain password online; synchronizing it back to the domain controller.