Quick Tip: Hybrid Domain Join with Intune
Although the future is to move to Azure Active Directory (Azure AD) for lots of organizations still have the need to Domain Join (Local AD domain join) devices still because of legacy issues.
6/10/2023: Update: Azure Active Directory is now called Entra ID
You can Azure Domain Join, enroll and provision devices enroll with Microsoft Intune tenant. However, the ability to join to local domain needs is delegated to when the device sees the Local AD. This means a VPN (along with certificates) needs to be deployed using an silent package (app) with Intune. Once deployed, you can enable the VPN to connect to the internal local directory and domain join the device automatically.
Two Articles by MICHAEL NIEHAUS back in 2019 follow:
- Windows Autopilot user-driven Hybrid Azure AD Join over the internet using a VPN – Out of Office Hours (oofhours.com)
- Windows Autopilot user-driven Hybrid Azure AD Join: Which VPN clients work? – Out of Office Hours (oofhours.com)
Microsoft Documentation:
- Enrollment for hybrid Azure AD-joined devices – Windows Autopilot | Microsoft Learn
- Stated Supported VPN clients
- In-box Windows VPN client
- Cisco AnyConnect (Win32 client)
- Pulse Secure (Win32 client)
- GlobalProtect (Win32 client)
- Checkpoint (Win32 client)
- Citrix NetScaler (Win32 client)
- SonicWall (Win32 client)
- FortiClient VPN (Win32 client)
- Stated Supported VPN clients
Palo Alto GlobalProtect specific info:
- Deploy a New Device Using Windows Autopilot and Microsoft Intune (paloaltonetworks.com)
- Integrate with Azure Active Directory (paloaltonetworks.com)
- Windows Autopilot with User-Driven Hybrid Azure AD Domain Join using Palo Alto GlobalProtect VPN | Maniacal Methods (markdepalma.com)
Additional Resources:
How Azure AD device registration works – Microsoft Entra | Microsoft Learn
Autopilot Hybrid Azure AD Join Breakpoints – MDM Tech Space (joymalya.com)
Microsoft Exchange Server 2013 to Office 365: Hybrid Migration Step-by-Step | CBT Nuggets
