Today a walkthrough for Hybrid Azure AD join with Microsoft 365 Enterprise Cloud PCs. Organisations with existing Active Directory implementations can join their Cloud PCs to their environment by using Azure network connection. Learn how to setup in this post!
Prerequisites
New to Windows 365 Enterprise Cloud PCs? This walkthrough is based on my previous post, so check it out and try Cloud PCs for free!
- Verify hybrid Azure AD join configuration for your own infrastructure.
- Comply with the requirements for Azure network connection.
Azure network connection
ANC let you provision Cloud PCs in an Azure Virtual Network. Compared to Microsoft Hosted networks, Azure Virtual Networks are great for gaining better control over networking capabilities and network security. During provisioning, Cloud PCs connect to the Azure subnet and are joined to the Active Directory domain automatically.
Hybrid Azure AD joined devices require network line of sight to your on-premises domain controllers periodically. Whenever this connection is unavailable, devices become unusable. We use ANC in combination with an Azure Virtual Network.
In this scenario, my Active Directory domain controller resides in this virtual network. However, for local networks you should consider using Azure VPN Gateway from Azure Virtual Network to your local network.
Configure Azure Virtual Network
In this paragraph it is all about Azure Virtual Network. Azure Virtual Network serves for the most part as backbone for ANC. For this reason, the Azure Virtual Network should be able to communicate with the network where your Domain Controllers reside.
- For on-premises networks, there are many different ways to link an Azure Virtual Network using Azure VPN Gateway or Azure ExpressRoute.
- For cloud-only (or hybrid) networks, use that specific domain controller for Azure network connection for Active Directory and DNS.
Verify subnet
If needed, create a new subnet within the Azure Virtual Network assigned to Cloud PCs. Also, make sure that there is enough space to accommodate them.
In case of Disaster Recovery (DR), make sure that there are at least 50% of the IP addresses available in the subnet you choose to use. If reprovisioning for DR is required, sufficient new IP addresses are required for each Cloud PC provisioned on the subnet.
Note: After creation of the ANC a health check is performed. It is important to realise that this check fails when there is less then 50% of the address space available.
Prepare DNS
Cloud PC resources need to resolve the Active Directory domain in order to bind themselves. The network card of the Cloud PC will be joined within a subnet that resides in the Azure Virtual Network of your choosing. It is really important that you verify DNS resolving until deploying Cloud PCs. There are a few different ways to accomplish name resolving. To facilitate DNS services, you can use one of three methods:
The most simple way is to change DNS entries within the virtual network:
- Sign in to the Microsoft Azure portal, search Virtual Network > DNS servers (under Settings).
- Choose Custom and add the IP address(es) of the DNS servers who can resolve the Active Directory domain.
Create Azure network connection for Hybrid Azure AD Cloud PCs
- Sign in to the Microsoft Endpoint Manager admin center, select Devices > Windows 365 (under Provisioning) > Azure network connection > Create.
- Choose Hybrid Azure AD Join as Azure network connection type.
- Enter a Name for the connection. The connection name must be unique.
- Select a Subscription and Resource group. Cloud PC resources will end up in the group you select here. Create a new one or select an existing instead.
- Select a Virtual Network and Subnet and click Next.
- Provide the following information about your on-premises Active Directory domain:
- AD domain name: The DNS name of the Active Directory domain that you want to use for connecting and provisioning Cloud PCs.
- Organizational unit: Specify the distinguished name. I recommend creating a new one first for scoping purposes within the domain. Also, make sure that his OU is enabled to sync with Azure AD Connect since Cloud PC provisioning will fail.
- AD domain username: The user principal name of the account that performs the domain join. Must have appropriate rights and would ideally be a service account.
- AD domain password: The password for the user specified above.
- Confirm AD domain password: The password for the user specified above.
- Click Next.
- On the Review + create page, select Create.
Verify the status
Once the ANC is created, the first health check runs to verify configuration. As a result, you can’t edit an ANC when it is running checks. You must wait for the checks to pass/fail before edit functionality becomes available.
| Message | Status | Probable cause |
| Azure AD device sync | Warning | There is no Cloud PC registered yet and therefore this warning is given. This is not a breaking warning. |
| Azure subnet IP address usage | Failed | At least 50% of the IP address space in the subnet should be available for disaster recovery reasons. Expand the subnet to accommodate enough free space. |
| DNS can resolve Active Directory domain | Failed | Make sure that DNS in the Azure Virtual Network is able to resolve the Active Directory domain. |
| Active Directory domain join | Failed | Likely failed because the Active Directory domain could not be resolved (see entry above). |
Find the full list of health checks here.
Create or change provisioning profiles
The join type for Cloud PCs is defined in provisioning profile(s). Since I already experimented with provisioning profiles, I am editing my current profile.
- Within the Microsoft Endpoint admin center, go to Devices > Windows 365 > Provisioning policies and click on the existing profile.
- On the general tab, click on Edit.
- Change the Join type from Azure AD join to Hybrid Azure AD join.
- Select the newly created Azure network connection for the Network selection.
Reprovision Cloud PC
Note: If you do not have a Cloud PC deployed yet, skip this step.
Now we need to convert our Cloud PC from Azure AD joined to Hybrid Azure AD joined. While the Reprovision remote action starts, the user is signed off.
- Sign in to the Microsoft Endpoint Manager admin center, select Devices > All Devices > choose a Cloud PC device > Reprovision.
- In the Reprovision box, select Yes. The reprovision process will begin.
Note: With reprovisioning, the original Cloud PC is deleted, including all user data, applications, customizations, and so on.
Health checks
The health status of ANC is important throughout the provisioning and lifecycle of the Cloud PCs. In order for them to function properly, network connectivity and Active Directory resources need to be reachable. There are one time and periodic health checks:
- The connection health between network-bases resources
- The Cloud PC hosted in the Microsoft hosted subscription
Use Microsoft Remote Desktop for access
- Download the Remote Desktop app from the Remote Desktop clients page.
- Select Get subscription URL.
- In Microsoft Remote Desktop, click on Add Workspace and paste the subscription url obtained from the previous step.
- Enter Azure Active Directory credentials. When prompted for Multi-factor authentication, accept the request.
- The Cloud PC appears in the list, then double-click it to launch.
The end result: Hybrid Azure AD Cloud PCs
Now you have an operational Cloud PC bound to your on-premises Active Directory environment. Configure Group Policies, add printers from the local print server and more that your on-premises environment has to offer. Just like you would with your physical devices.
