Just another HAADJ vs AADJ blog post?

Not just another HAADJ vs AADJ blog post

On the way towards a modern managed workplace, at the very start of the journey, you will find yourself at the center of the great debacle – whether to go slow and steady with HAADJ or hit the kill switch for existing infrastructure and go full-cloud with AADJ.

I have already highlighted this in a previous blog post of mine that “the important factor that contributes heavily towards making the decision on the device join state is the requirements of the particular environment.”

Where cloud-only Azure AD join is the first preference for many of us because of its simplicity and for sure, that is the destination. But at the same time, there’s no denying that when we get to the work in modernizing a traditional workplace, sometimes the destination cannot be reached on the very beginning.

But is this going to be just another HAADJ vs AADJ blog post? Well, you can only find out by reading it.

The great debacle – AADJ versus Hybrid AADJ

Hybrid AADJ versus the full modern cloud-only AADJ can be seen as the old parallel-run versus cut-over approach methodology of digital workplace implementation.

Where the former approach to the digital workplace is inarguably slower and has the associated risk of losing momentum if you don’t constantly push changes forward, the latter approach involves more risk, in the sense, that you ditch everything existing and go full cloud-only from scratch, only to find out things that are missing and critical for your workplace.

This is especially true for large enterprises where they have spent years developing and fine-tuning their current estate of GPOs.

If you are thinking that you would be able to rebuild everything in Intune to exactly match the current environment state (talking about replacing all the existing GPOs), all at once for a cut-over transition, it’s a daunting task and in all probability isn’t likely going to happen.

Going full-cloud modern from an existing legacy environment is a demanding journey that requires a lot – to learn, change, and adapt.

The above applies not only to the technical bits but also to the mindset of both the users and the IT.

From my real-life experience of working in Digital Workplace TnT projects, the hardest thing I have seen is to make people understand that they probably don’t need to go the Hybrid path, at least not for the new devices coming into the environment.

Another factor that I have seen play a major role during the transformation journey of any organization is to retrain (and make) people, who are accustomed to doing things the “old way” do things the “new way”. This actually takes a lot of time/money and is not something that you can achieve in a single shot.

And this is exactly where HAADJ slips in and can take you out for a joy ride. Beware!

Hybrid AADJ (with co-management) gives you the flexibility to build and test out config in the cloud world of Intune to match the current environment, giving you time for a phased cut-over movement. But at the same time, as you happily toy around with your pilot batch, it allows you the comfort to continue as-is disguised in the false feeling of “we’re modern and in the cloud now” satisfaction.

And this false satisfaction, in reality, can catch you off-guard very easily causing you to lose momentum and keep pushing towards the “actual destination” that is fully modern with cloud-only AADJ state.

Though it does brings the devices to the cloud, HAADJ is not the exact manifestation of what modern management actually is.

Technically, the device in the HAADJ state is still tied down to the on-premises AD and the GPOs. The sooner you get to the realization is better.

Hybrid AADJ should only be considered as an interim solution to help you make the journey towards a fully modern and cloud-only environment, and should never ever be considered as the destination for your digital workplace journey.

But beware, again!

As highlighted in my previous blog post on the same topic, once you choose to go the Hybrid AADJ way, it can be very difficult to change this strategy over time and move to cloud-only AADJ.

However, there is no denying the fact that when you have a complex enough set of GPOs in the current environment, it’s not possible for a cut-over transition all at once. And in that sense,

Hybrid AADJ really becomes the necessary evil to help you get to a full modern cloud-only AADJ state, with the downside that you need to be careful enough to not get stuck in there.

With all these backgrounds, let us now see the probable reasons which make one go the Hybrid way.

What’s stopping you from going full cloud-only with AADJ?

Azure Active Directory is flat.

There’s no Group Policy (and as such, no in-built capability of device management), no LDAP support, and no native LAPS support. It’s just there to provide Identity and Access Management services – user management, and authentication management.

  • For the cloud-only AADJ case, device objects are created up in the cloud – Azure AD. These devices have no existence in the on-premise AD and as such, if you work with services that rely on the existence of the device object in AD, those are not going to work.

Example – NPS auth for RADIUS does not work with cloud-only AADJ devices. Though there are workarounds, but they are not very convenient.

If you are thinking the Device writeback feature of Azure AD Connect can help you overcome this, then you are wrong.

Device writeback creates device objects, originating from Azure in the on-premises AD, in the container "Registered Devices" and these are not considered as the traditional Computer objects that resides in the "Computers" container.
  • While there are community-driven alternatives available, but there’s no first-party equivalent of LAPS with Azure AD.
Well, you can maybe play out with Azure AD PIM utility within the Azure portal to hand out the Device Administrator role to users or groups within Azure AD, but it has its own drawback, in the sense, that the role addition (or removal) is not effective immediately on the endpoint.
  • If you have legacy applications that utilize LDAP, it isn’t going to work in the cloud-only AADJ world as Azure AD does not support LDAP.
However, this can be overcome via the implementation of Azure AD DS instance with properly configured network security groups through Azure Networking to achieve LDAP connectivity. But it will require an investment of additional cost and effort.

Other than the above three technical limitations, I can’t recall anything else that can hardwire you to go the Hybrid way.

But then, beware of the obvious non-technical blockers for going the cloud-only route, like

  • need to upskill/re-skill IT and educate end-users
  • the time required to assess the complex setup of the current set of Group Policies and replicate them in Intune
  • the requirement to access on-premises file shares
  • configuring network printers

There can be more to the above list, but none of these are real technical blockers and can be worked upon.

Pitfalls of going Hybrid with HAADJ

As Rudy stated in his blog post here,

“The main disadvantage of using hybrid is you still need a line of sight to your on-premises domain controller (sometimes) and you are still stuck with some old group policy objects (which you might not even need now) who can really mess up with your Intune settings.”

Further, there is no simple migration tool to help jump ships when the time comes finally. Devices must either leave the domain manually and re-join the cloud or be reprovisioned entirely.

The End

The modern managed workplace, as we know it today, has actually evolved over the years through iterations as technology made progress. But getting there isn’t as simple as taking a single step; you will have to get ready and get on a journey to get there. 

The journey to a modern managed workplace is like traveling down a road, where every organization is a traveler.

In real life, we see many different vehicles on the road. Similarly in this journey to a modern managed workplace, the vehicle(s) chosen by each organization can be different from each other. However, choosing a vehicle (or vehicles) is actually complex.

This is because the choice of vehicle must also suit the purpose (needs and requirements). For example, you wouldn’t take a Lamborghini off-roading or drive a Jeep in a Formula 1 race!

So, how do an organization know what vehicle will work best for their journey to Modern Managed Workplace?

Well as you might have already guessed, here I have used “vehicle” as an analogy to the “approach” that an organization can adhere to for their modern transformation journey.

For new organizations or spin-offs, the ideal approach is to go straight to modern management because they are starting afresh and as such can create a cloud-first approach for all workloads. This approach can fit existing SMBs as well since they usually do not have many on-premise investments that can hold them from going full modern.

But then what about mid-size and large enterprises that have substantial on-premises investments? It’s not an easy task to cut loose from the existing on-premise infrastructure in one go and move directly to modern management.

And this is exactly the situation that gives us the golden question – to do or not to do HAADJ?

Instead of making the “big switch” cutting over to a modern style all at once, large enterprises prefer an iterative approach, where workloads are modernized over time, providing a bridge to full modern management.

HAADJ and AADJ can actually co-exist in an environment, where you use HAADJ for your existing devices to bring them to the modern world while using AADJ for new devices (and devices that are getting refreshed or re-imaged due to issue/troubleshooting), with the latter becoming dominant over time.

This is very normal and common with many organizations making the transition to modern management, and is in fact, a valid and frictionless path towards modern management, as it delivers the best of both worlds until a full transition is completed.

But the debate of HAADJ vs AADJ arises as you tend to get stuck with HAADJ.

As per me, the best way to get to a modern managed state for your Windows devices is to follow the path of co-existence as is shown in the illustration below.

You may think Hybrid is the safest bet to ensure business continuity, but in reality, it might not be the case. The cloud-only fully modern path may actually suffice to cater to your requirements.

Still, if you opt to do Hybrid Azure AD Join even for new device provisioning (via Autopilot) unless it is absolutely required and a proper assessment and analysis have been done for the same, then it is surely an overkill, adds complexity to IT management, puts a big question towards your modern management goal and approach.

And HAADJ with Autopilot is also probably not your best bet if you are looking to deliver a great end-user experience to your end-users. [Need to know why? Read this blog post of mine!]

So why do we see people hesitating to go the cloud-only route?

To answer that, I feel many are hesitant to go the cloud-only AADJ route directly from their AD joined CMO due to the seemingly overwhelming task of getting there, or perhaps the change that is required in the IT approach, mindset, workflows, and administration.

What do you think?

At the end, could not help myself from sharing the last one that I made on the topic.

If you are working as an Intune Support Engineer and would want to learn about the different breakpoints that are there in with Autopilot Hybrid Azure AD join, I already have a post on the same here.

Further, if you are looking for troubleshooting Autopilot HAADJ, there are some wonderful posts on the topic out there already, a few of which I am linking below.

And at the very end, I just wanted to say that this blog post, as you have already read, only discusses the device join state – HAADJ vs AADJ.

But the digital transformation journey to a modern managed workplace is not only about the devices. It’s about complete modernization of the whole IT environment (for example, migration of data from on-prem file-shares to SPO) which includes the processes and workflows involved as well, and in that, device join state is only a specific part of the story!