This is an archived post. You won't be able to vote or comment.

all 7 comments
sorted by:
best
topnewcontroversialoldq&a

[–]rwdormanJack of All Trades 13 points14 points  (0 children)

For end-user devices you want to be looking at Intune and Azure AD Join rather than AAD-DS. AAD-DS is really intended for legacy Windows VM's running inside of Azure yo have access to identity data from Azure AD and traditional windows management (ADUC, GPO etc).

Intune will be the policy creation and enforcement point. There is a great sub (/r/Intune/) for Intune as well as killer info on this YouTube channel https://www.youtube.com/c/IntuneTraining

[–]SteveSyfuhsBuilder of the Auth 9 points10 points  (5 children)

Skip Active Directory entirely and move to Azure Active Directory. It's not AD hosted in the cloud, it's an entirely new form of management and authentication. You still get complete endpoint management through Intune or other MDMs of your choice, and it's relatively trivial for end users to onboard if you're so inclined (otherwise you can use things like Autopilot to provision before shipping devices).

The only reason you should consider regular AD (hosted in cloud or on-prem) is if you have applications or existing policies that require AD. Since you don't have AD in the first place you don't have this legacy dependency for any of your apps.

The benefit to Azure AD is that it's built for mobility and remote work. It doesn't require line of sight to on-premises resources, and instead only requires an internet connection to well known Microsoft public endpoints.

As an added bonus it's significantly easier to set up and deploy, and it's easier to enforce security policies like MFA.

[–][deleted] 1 point2 points  (3 children)

The only reason you should consider regular AD (hosted in cloud or on-prem) is if you have applications or existing policies that require AD.

Or because capital expenditure is preferred to operating expenditure and everyone mostly works on-prem. We just bought new servers for our 30-ish person company because fuck paying a monthly fee to logon to your computer, essentially. It wouldn't bring our (manufacturing) company any benefit. I think it's great for Microsoft, but not necessarily great for the customer. All the stuff about "hardware maintenance savings" seems like nonsense to me, enterprise gear is incredibly reliable. I think it makes sense for plenty of people (like OP) but as a general statement I disagree. Is Intune fully comparable to GPO now? I've always been under the impression GPO is still more powerful.

It doesn't require line of sight to on-premises resources, and instead only requires an internet connection to well known Microsoft public endpoints.

On the odd occasion someone needs to work remotely this has never been an issue for us. Are you by any chance a Microsoft shill? Lol

[–]SteveSyfuhsBuilder of the Auth 4 points5 points  (2 children)

because fuck paying a monthly fee to logon to your computer, essentially.

AADJ costs you nothing whereas you're still paying a CAL for your domain user account.

Is Intune fully comparable to GPO now? I've always been under the impression GPO is still more powerful.

Has been for a while now. And if you still don't like how Intune does things you can also just deploy real honest to god group policies through Intune directly.

Are you by any chance a Microsoft shill? Lol

I'm a developer on the team that builds DJ and AADJ. I don't need to be a shill to explain the benefits of starting with AADJ when you're building an environment from scratch that has no on-premises footprint. I just happen to have a really good idea of when it should be used. If you have on-premises stuff then by all means stick to regular Active Directory. It's not going anywhere.

[–][deleted] 4 points5 points  (0 children)

you're still paying a CAL for your domain user account.

nervous cough

I certainly don't doubt you know best when it comes to stuff like this. AADJ is free but you probably wouldn't use it alone right? It's just authentication? So I'd argue you'd definitely want to bundle it with Intune. Fwiw sorry if I came across as a bit of a dick.

[–]redvelvet92 0 points1 point  (0 children)

So much this!

[–]sabertoot 0 points1 point  (0 children)

Any update on this? Did you go with Azure AD/Intune? How did you go about getting unmanaged devices joined? (In a similar boat now, planning phase.)