Welcome to a special episode of Late Night Brew! Tonight, we’re talking about all things hybrid join.
Many organisations are yet to enable hybrid join because they assume they don’t need it. However, turning on hybrid join offers multiple advantages, from improving your employees’ user experience to preparing you to enable other services, such as Intune, Microsoft Defender for Endpoint and others.
Join Robert Buktenica and Aaron Parker in this enlightening discussion now!
TIMESTAMP
00:07 – Introduction
00:40 – The Brew
01:27 – What exactly is hybrid join?
04:30 – Why is hybrid join important?
TRANSCRIPT
Introduction
Robert Buktenica: Hello, everyone. And welcome to another episode of the Late Night Brew where we talk the brews first, then we get around to what we’re supposed to do after the fact. Joining me on this great episode on Hybrid Join is Aaron Parker. Welcome back to another episode, man.
Aaron Parker: Good morning. Good evening, I should say. How are you doing?
The Brew
Robert: I am doing good, especially now that I’m filming. So the most important question of the day — evening — is, of course, what brew are you having with me?
Aaron: So I am drinking a Moon Dog pale ale. I think pale ale is certainly not for everyone, but I do enjoy them every now and then. I think this one’s—. It is a little bit cold out here, but this one is definitely a good summer drink.
Robert: Ah, got to love the refreshing. I am still drinking a summer drink, even though it’s cooling off here. I apologise to every Austrian here because I’m going to slaughter this name. Hirter Morchl Dark Lager.
Aaron: Nice.
What exactly is hybrid join?
Robert: I love a good dark. Dark IPA, black IPA, black lagers. They’re they got —. I love that vault for whatever reason. Very refreshing. Now on to hybrid join. What exactly is it?
Aaron: Yeah, well, so look, I thought a back-to-basic style session in talking about hybrid join is important because I talk to a lot of customers around a lot of like things like Configuration Manager and Microsoft Intune and authentication when they’re on a desktop device or something like Microsoft Defender for Endpoint. And I’m surprised to see the number of customers who have not yet enabled hybrid join.
So when I’m talking hybrid join, we’re talking hybrid Azure ID join and what’s now called Intra hybrid joined. I’ve got to get used to the new terminology. It’s going to take a little bit, so we might stumble over that name a bit.
Robert: Don’t worry, though. By the time we get used to it, they’ll change it again.
Aaron: So, it’s a really important piece that you need to get into place. And as I say, I’m surprised by the number of environments that have not enabled it or enabled it at this point.
So, they’re out there. They’re in several different camps. Either they don’t know what Hybrid Join is, or they know what Hybrid Join is and they’ve only enabled it for a subset of machines, or they’re saying, yeah, we’ll enable Hybrid Join and we’ll get to it at some stage.
So, we’re talking about different types of projects like Configuration Manager with Co-Management, Microsoft Intune, Microsoft Defender for Endpoint. It’s a prerequisite for enabling these products and getting onboarded quickly, that you’ve got to do this preparation work beforehand.
Why is hybrid join important?
Robert: Yeah, that’s a great, you know, where and what is it getting used for, those pieces, parts across. Now, beyond the obvious of hey, we want to better manage our devices, of course, why is this so important? Or why is it so important to turn it on, I should say?
Aaron: Yeah, so everyone’s I think everyone’s aware of how important user identities are. So when I migrate to something like Microsoft 365 and I’m using Entra ID to authenticate my applications, I need to sign in as something. So, my email address and password or email address and no password these days using strong authentication.
But I think the idea of device identities is not as well-understood. So the first thing that Entra hybrid join does is that it enables single sign-on. So I’m a user, I sit down in front of an Active Directory joined Windows PC and open the browser or open, say Word or Excel or something like that. And then I sign in and those applications are signing into Microsoft 365.
I don’t want to see an authentication prompt. I’ve already signed into my device. I want to want to get single sign-on into Microsoft 365. And that’s the first thing that hybrid join enables.
So it enables a token called primary refresh token, which is the token, the authentication token that’s presented to Entra ID. I almost said Azure ID, Azure AD. So now I’m getting the two of them mixed up.
So that primary refresh token is the key thing. It’s the authentication token that gives you single sign-on. So by enabling hybrid join, that’s the first thing that it does. So, it improves the user experience. I get single sign-on. I don’t get additional authentication prompts. I don’t have to type in username, password and save my credentials somewhere. It just makes the user experience so much better.
Robert: And that’s always huge. I think we can both — user experience makes and breaks everything.
Aaron: Yeah, yeah, yeah. So yeah, the first thing is enable single sign-on. But the second part of that is it enables a device identity in Entra ID.
So now in this case, the device is joined to Active Directory and it has a computer record in AD. Now it’s also joined to Entra ID, hence hybrid join. And that enables the device to have an identity in Entra ID. And then with that, we can do a few things.
So, it is a prerequisite for enabling something like enrolling into Microsoft Intune. It needs to be done. Unless you’re doing direct Entra join, you need to enable Entra hybrid join before you can start to enroll into Intune, right?
It’s also a prerequisite for enabling co-management with Configuration Manager in Intune. So that’s an important prerequisite. And if you’re also a Configuration Manager customer and you want to deploy a cloud management gateway, it’s an important piece in device authentication to the cloud management gateway.
Probably a couple of other components. It’s not a strong prerequisite, but it will certainly make life so much easier if Entra hybrid join is enabled as you are onboarding devices into Defender for Endpoint, because that identity already exists in Entra ID, and then you’re onboarding into Defender for Endpoint, and you can pick up policies out of MDE.
Robert: Yeah, that’s an important one. Those are some really, really good use cases. And like you alluded to, right, there’s a lot of organisations, so I’m going to take the floor now and a rare one where I’m going to talk rather than whoever I’m interviewing.
Aaron: Oh, I’ll have a sip.
Robert: Now’s your chance. In what I do, I work with a lot of organisations, and I help them onboard and adopt Microsoft. And on that camp of, “Oh, we’re really worried or worried about user impact or device impact,” I can say across the last few years, all the organisations, I’d probably put them at about 50 or so, 50 to 60, I’ve helped onboard into Intune, turning on hybrid.
Aaron: Various sizes as well?
Robert: Yeah, from the 150 “Hey, we’re just trying to save some time” to the 5, 10, 20,000, “We need efficiency.” Across the board, the toggling or the enabling of hybrid join has never been the issue.
It’s things like, “Hey, we forgot to punch this hole in the firewall or whitelist this URL, or yeah, we were going through Azure and we deleted a whole bunch of devices so that we had a clean slate. And oh, by the way, the accounts were logged in on the Windows side and suddenly everyone got logged out,” right?
It’s stuff like that where bigger impact happened because of either enrollment or device deletion or stuff like that. Never the, “Hey, we’re turning on hybrid join and let’s get that identity synchronised up in that Entra.” That’s what I think about that one.
Aaron: That’s where we see that conversation with customers go, right, is they may not have the confidence to do it.
I like to refer to it as, call this project Nike, just do it. So as you say, there’s no visual impact to the user experience, right? And it should be even better because if you don’t have hybrid join, you don’t have single sign-on. So they might be having to type in username and password or type in the username and respond to an MFA prompt.
Once you’ve enabled Entra hybrid join, you’ve got single sign-on so you’ve got a better user experience. Giving customers confidence that yes, let’s just enable it, let’s do it in bulk and we just get it done.
Now you don’t have to do it in bulk to start with, right? You can scope it.
Robert: Oh yeah, that’s the great thing about AD Connect is you can scope those OUs. And actually on that point, we’ve eaten up our time. So Aaron, thank you very much for joining me, mate. It’s always a pleasure to chat. Until next time, cheers. And looking forward to the next episode.
Aaron: I’m going to finish off my morning beer.
Robert: That’s a great day though.
There you have it! We hope this discussion helped you understand how hybrid join can improve your Microsoft 365 experience. If you want a more in-depth conversation about how you can leverage hybrid join to improve your workflows, feel free to reach out to Insentra today.
Missed our last few episodes? Catch up on previous Late Night Brew episodes now!
