This post details some differences between Windows 365 Cloud PC hybrid Azure AD joined, and Azure AD joined. Windows 365 makes provisioning dedicated, always available cloud PC’s in your organization easy, Based on your configuration, Cloud PCs are either: Joined to your enterprise Active Directory domain and synced to Azure AD or Directly joined to Azure AD.
Hybrid Azure AD Join devices require network line of sight to your on-premises domain controllers, Organizations with existing AD implementations can benefit from provisioning hybrid Azure AD joined Cloud PCs, These devices are joined to your on-premises Active Directory and registered with Azure AD.
Azure AD Join allows administrators to join devices directly to Azure AD without the need to join on-premises Active Directory which creates more management options and full integration with Microsoft Endpoint Manager, having no on-premises dependency makes this solution easy to configure.
Renaming Hybrid Azure AD Cloud PCs is not supported. The remote action to rename Cloud PCs that are Azure AD joined is also disabled in the MEM admin center (Intune) portal. You can check the post detailed Best Methods to Rename Windows 11 PC and Cloud PC.
We presented the differences between Windows 365 Cloud PC Hybrid AD Join Vs. Azure AD Join at the APAC Windows 365 April UG event, The information and complete overview added here help to give you a better understanding depending on what you want, and it might be that you need both for your environment.
- Windows 365 Cloud PC Azure AD Joined Provisioning Process
- Windows 365 Cloud PC Deployment Provisioning Process Step by Step Guide
- How to Purchase Windows 365 Cloud PC License | Real World Scenario
Advantages of Using Windows 365 Hybrid Azure AD Joined or Azure AD Joined Cloud PC
This table summarizes the details in terms of features and capabilities of using Windows 365 Cloud PC Hybrid Azure AD joined, and Azure AD Joined are –
Hybrid Azure AD Join | Azure AD Join | |
Definition | Joined to on-premises AD and Azure AD, requiring an organizational account to sign in to the device | Joined only to Azure AD requiring an organizational account to sign in to the device |
Primary audience | Suitable for hybrid organizations with existing on-premises AD infrastructure | Suitable for both cloud-only and hybrid organizations. |
Users Identities | Applicable to Hybrid Identities. | Applicable to Cloud and Hybrid Identities. |
Device Management | Group Policy | Mobile Device Management (example: Microsoft Intune) |
Network Connectivity | Require network line of sight to your on-premises domain controllers periodically. | Works even in hybrid environments, enabling access to both cloud and on-premises apps and resources. |
Group Management | On prem Active directory groups | Azure AD Groups |
Automation | Reuse existing automation solutions | Build new automation solutions |
TOM | Reuse existing TOM | Build new TOM |
RBAC | Reuse existing RBAC Solution | Design new RBAC solution |
Device Records | On prem AD and Azure AD | Only in Azure AD |
Windows 365 Provisioning Policies – Join Type & Network Selection
Hybrid Azure AD Join: Requires connectivity to a Windows Server AD domain. You must provide the AD domain details when you create the ANC.
When creating a Provisioning Policy in Windows 365 Hybrid Azure AD Join, Windows 365 will join your Cloud PC to the Windows Server Active Directory domain you provide. Then, if your organization is properly configured for Hybrid Azure AD Join, the device will be synchronized to Azure AD.
Azure AD Join: This doesn’t require connectivity to a Windows Server Active Directory (AD) domain. Azure AD Join: If you choose this join type, Windows 365 will join your Cloud PC directly to Azure AD.
Select the Join type Azure AD Join. In the Network dropdown, you have the option to select “Micorosft Hosted Network” and “On-premises network connection”.
Windows 365 Capability or Requirement – Join Type
The table shows key capabilities or requirements based on the selected join type (Hybrid Azure AD Join or Azure AD Join) –
Capability or Requirement | Hybrid Azure AD Join | Azure AD Join |
Azure subscription | Required | Optional |
Azure virtual network with line of sight to the domain controller | Required | Optional |
User identity type supported for login | Hybrid users only | Hybrid users or cloud-only users |
Domain Join Setup | Yes | No, if you plan on provisioning Azure AD joined Cloud PCs on a Microsoft hosted network. |
Policy management | Group Policy Objects (GPO) or Intune MDM | Intune MDM only |
Windows Hello for Business login supported | Yes, and the connecting device must have line of sight to the domain controller through the direct network or a VPN | Yes |
Azure Network Connections Health Checks
An Azure network connection (ANC) in the Microsoft Endpoint Manager admin center provides Cloud PC provisioning profiles with the required information to connect to network-based resources.
The Azure network connection (ANC) health checks feature periodically runs to make sure that
- Cloud PC provisioning is successful.
- End-user Cloud PC experiences are optimal.
There are two kinds of ANCs based on their join type. Both let you manage traffic and Cloud PC access to network-based resources, but they have different connectivity requirements.
When a Cloud PC is provisioned, the information in the ANC is used by the provisioning policy to provide the Cloud PC. It performs 11 checks for Hybrid Azure AD and Requires connectivity to a Windows Server AD domain.
Windows 365 Azure AD Joined PCs provisioning doesn’t require connectivity to a Windows Server Active Directory (AD) domain. It performs a total of 8 checks for Azure AD.
The information included in the ANC is used to provision a Cloud PC. For provisioning to succeed, the resources referenced in the ANC must be healthy and accessible.
Windows 365 Cloud PC Device Records
Windows 365 Cloud PC Hybrid Azure AD joined (HAADJ): Devices are registered in Azure AD and joined to an on-premises AD domain.
- Provisioning Initiated from MEM Admin Center.
- Device Record created in On-prem AD.
- Waiting for provisioning to be completed and Hybrid Azure AD Join.
Azure AD joined (AADJ): Devices are joined to an Azure Active Directory (Azure AD). They’re not joined to on-premises AD.
Differences in Windows 365 Device Records
The Intune MEM Admin Center or Azure AD Portal to look at the results of join type is from the Devices pane or Intune blade. Check whether you (admin) can see whether the Join Type column shows Hybrid Azure AD Joined.
If the Cloud PC joined the Azure AD, the Join Type column shows Azure AD Joined.
End Users Experience – How to Identify Join Types?
Hybrid Azure AD Joined – The Windows 365 Cloud PC Joined to on-premises AD, and Azure AD requires an organizational account to sign in to the Cloud PCs.
Azure AD joined – The Windows 365 Cloud PC Joined only to Azure AD requiring an organizational account to sign in to the Cloud PCs.
You can check the access to a user account, Navigate to Windows Settings > Account > Access work or school.
- If the device is joined to Hybrid AAD, you should see the connection to your AD domain listed. Connected to the organization AD domain.
- If the device is joined to AAD, you should see the connection to your AAD domain listed. Connected to organization Azure AD.
Verify the Join Status – Command Line Option
Open Command prompt as an administrator in the Cloud PC and type dsregcmd /status. Here you will see AzureAdJoined field value should be YES in both scenarios (Azure AD Joined or Hybrid Azure AD Joined).
If Cloud PCs joined to Hybrid Azure AD Joined, AzureAdJoined and DomainJoined are set to YES. Review the fields, and make sure that they have the expected results –
DomainJoined | YES | This field indicates whether the device is joined to an on-premises Active Directory. If the value is NO, the device is not a part of Hybrid Azure AD-join. |
AzureAdJoined | YES | This field indicates whether the device is joined. The value will be YES if the device is either an Azure AD-joined or a hybrid Azure AD-joined device. |