116: Deploy Hybrid Entra Join

Overview

Hybrid Microsoft Entra joined: Devices are registered in Microsoft Entra and joined to an on-premises AD domain. You should plan to hybrid join your existing endpoints that are joined to an on-premises AD domain.

Hybrid Microsoft Entra joined devices get a cloud identity and can use cloud services that require a cloud identity. For end users with existing endpoints, this option has minimal impact.

These devices require a network line-of-sight to your on-premises domain controllers (DCs) for initial sign-in and for device management. If the devices can't connect to the DC, then users might be prevented from signing in, and may not receive policy updates.

Scenarios that break without line of sight to your domain controllers include:

• Group policy updates from AD
• Device password change
• User password change (Cached credentials)
• Trusted Platform Module (TPM) reset

Reference

• Plan your Microsoft Entra device deployment
• Enroll a Windows device automatically using Group Policy