Hybrid Microsoft Entra join with Windows 365 Enterprise Cloud PCs

Today we explore hybrid Microsoft Entra join with Windows 365 Enterprise Cloud PCs. Organisations with existing Active Directory implementations can join their Cloud PCs to their on-premises environment by using an Azure network connection. Let’s get started!

Note: This post has been recently updated with new information. Screenshots might still show Azure AD join, which is now Microsoft Entra join.

Introduction to Windows 365

Windows 365 is a cloud-based service that lets organizations deploy and manage Windows virtual machines for end users (Cloud PCs). You can assign these Windows environments to individual users, who then use them as their dedicated Windows devices.

The beauty of this solution is that you can get started quickly without the hassle of maintaining complex infrastructure or configuration. Microsoft hosts and maintains the service, making it perfect for small to medium-sized businesses.

Want more information about Windows 365? Check out my previous post.

Generated image from a Hybrid Microsoft Entra joined Cloud PC

Overview

Active Directory still exists in your environment and leads your infrastructure. As a result, some applications used by your end users rely on Active Directory. If you plan to use Cloud PCs in this context, you’ll find it beneficial to integrate them into your Active Directory environment using Hybrid Microsoft Entra join. Fortunately, Microsoft offers this feature within Windows 365 using Microsoft Intune.

Prerequisites

Before you proceed with configuring Hybrid Microsoft Entra join for your Windows 365 Cloud PCs, ensure you have met several key prerequisites. First, your end-user accounts must have synced identities available in both Active Directory and Microsoft Entra ID. Additionally, you need an organizational unit ready in Active Directory if you prefer that new Cloud PCs join a specific unit. Ensure you have an Active Directory account with sufficient permissions to join computers to the domain and add them to the organizational unit.

  • Organizational unit: If you prefer that new Cloud PCs are joined to a specific organization unit in Active Directory, make sure it is created before you begin.
  • Active Directory account: Use an account with sufficient permissions to join the computer to the domain and add it to the organizational unit.
  • End user accounts: The account of the users who use a Cloud PC must have synced identity available in both Active Directory and Microsoft Entra ID.

Microsoft Azure

On the Azure side, you’ll need an Azure subscription with permissions for the Windows365 network interface contributor and Windows365 network user roles. Make sure to have a virtual network in the same region where you plan to use Windows 365, sized appropriately to house your Cloud PCs. Additionally, establish connectivity to on-premises domain controllers through VPN/ExpressRoute or deploy a domain controller within Azure.

  • Azure subscription: An Azure subscription, with permissions to use the Windows365 network interface contributor and Windows365 network user role.
  • Virtual Network: There must be a virtual network in the same region as where you plan to use Windows 365. Size the address space of the network so that you can house the Cloud PCs.
  • Connectivity to on-premises: Connectivity to the Domain Controllers just as traditional machines require. This could either be with VPN/ExpressRoute or a Domain Controller deployed in Azure.

For a full list of requirements, check the links below.

1. Networking

The first step is deploying a new Azure network connection. Once deployed, newly provisioned Cloud PCs reside in your virtual Azure network, rather than the Microsoft-hosted network. This shift grants better control over network connectivity.

1.1 Virtual network

The virtual network resource in Azure is the backbone of the network. How you size your virtual network is totally up to you. No specific requirements there with the exception that there is always enough IP space in the subnet (50% available) for disaster recovery purposes.

As I mentioned earlier, a direct line-of-sight to your Active Directory domain controllers is essential for Microsoft Entra hybrid join. In this tutorial, I use domain controllers deployed in the same virtual network. This setup simplifies my process, but it might not be the same for you. Alternatively, read the tutorial from Microsoft below to get started with VPN on Azure.

Simple overview of the Windows 365 Microsoft Entra hybrid join solution

Note: Once we deploy the Azure network connection, the health check fails when there is less then 50% available in the subnet.

1.2 Prepare DNS

Cloud PCs need to resolve hostnames of your domain controllers using DNS. It is important to verify that DNS resolving is up and running in your virtual network. There are a few different ways to configure name resolving. Use one of three methods:

For example, when using on-premises DNS, the most simple way is to configure its IP address(es) in the virtual network:

  1. Sign in to the Microsoft Azure portal: Search for Virtual Network and select the virtual network you plan to use. In the menu bar, select DNS servers.
  2. Set IP addresses: Choose Custom and add the IP address(es) of the DNS servers who can resolve the Active Directory domain controllers.
Select your custom DNS servers within the virtual network in the Azure portal

2. Azure Network Connection

We now setup the Azure Network Connection (ANC) which provisions Cloud PCs in the virtual network.

  1. Sign in to the Microsoft Intune admin center: Select Devices > Windows 365 > Azure network connection > Create.
  2. Choose join type: Select Hybrid Microsoft Entra Join as Azure network connection type.
  3. Enter a Name for the connection. The connection name must be unique.
Use Hybrid Microsoft Entra join when creating a new Azure Network Connection in Microsoft Intune
  1. Select a subscription and resource group. Cloud PC resources will end up in the group you select here. Create a new one or select an existing instead.
  2. Select the virtual network and subnet you want to use and click Next.

Note: During the setup, Microsoft Intune verifies the health of the connection. If it is not healthy, you won’t be able to proceed.

Fill in Azure subscription and virtual network details when creating a new Azure Network Connection in the Microsoft Intune portal
  1. Provide the following information about your on-premises Active Directory domain:
  • AD domain name: The DNS name of the Active Directory domain that you want to use for connecting and provisioning Cloud PCs.
  • Organizational unit: Specify the distinguished name. I recommend creating a new one first for scoping purposes within the domain. Also, make sure that his OU is enabled to sync with Azure AD Connect since Cloud PC provisioning will fail.
  • AD domain username: The user principal name of the account that performs the domain join. Must have appropriate rights and would ideally be a service account.
  • AD domain password: The password for the user specified above.
  • Confirm AD domain password: The password for the user specified above.
Fill in the Active Directory details within Microsoft Intune for Windows 365
  1. Click Next.
  2. On the Review + create page, select Create.

2.1 Verify the status

Once the Azure Network Connection (ANC) is created, verifying its status is critical to ensure that your Cloud PCs are properly connected and operational. The initial verification occurs immediately after deployment, followed by periodic health checks to maintain connectivity and performance over time.

For a comprehensive list of health checks and troubleshooting steps, refer to the full list of health checks.

2.2 Common issues

Here are some common issues you could encounter during the provisioning of the Azure network connection:

MessageStatusProbable cause
Azure AD device syncWarningThere is no Cloud PC registered yet and therefore this warning is given. This is not a breaking warning.
Azure subnet IP address usageFailedAt least 50% of the IP address space in the subnet should be available for disaster recovery reasons. Expand the subnet to accommodate enough free space.
DNS can resolve Active Directory domainFailedMake sure that DNS in the Azure Virtual Network is able to resolve the Active Directory domain.
Active Directory domain joinFailedLikely failed because the Active Directory domain could not be resolved (see entry above).

2.3 Future health checks

The status of your ANC must continuously be monitored to ensure ongoing health and connectivity. Future health checks help identify and resolve issues before they impact the user experience.

  1. Periodic Health Checks: Microsoft Intune automatically performs periodic health checks on the ANC. These checks cover the same critical parameters as the initial deployment to ensure network stability and connectivity.
  2. Manual Verification: Administrators can manually trigger health checks within the Microsoft Intune admin center:
    • Navigate to Devices > Windows 365 > Azure network connection.
    • Select the ANC and click on the Health tab to view current status and run checks.
  3. Addressing Failures: If any parameter fails during periodic checks, immediate action is required. Common issues include:
    • IP Address Usage: If IP address space falls below the required threshold, expand the subnet to accommodate more addresses.
    • DNS Resolution: Update DNS settings to ensure proper resolution of Active Directory domains.
    • Active Directory Domain Join: Ensure the service account has appropriate permissions and troubleshooting connectivity to the Domain Controller.
  4. Notifications: Configure alerts within Microsoft Intune to receive notifications about any changes in the health status of the ANC. This proactive approach helps mitigate potential issues faster.

3. Create or change provisioning profiles

Provisioning profiles decide how Cloud PCs are created and what users are eligible for use. Please keep in mind that after creation, a license check runs to verify that assigned users have the appropriate license for Windows 365.

  1. Within the Microsoft Endpoint admin center, go to Devices > Windows 365 > Provisioning policies and click on the existing profile.
  2. On the general tab, click on Edit.
  3. Change the Join type from Azure AD join to Hybrid Azure AD join.
  4. Select the newly created Azure network connection for the Network selection.
Select join type details during the configuration of a provisioning profile for Windows 365

4. Reprovision Cloud PC

To ensure the Cloud PC can use the Azure Network Connection and join Active Directory, you must reprovision it after the configuration. While the Reprovision remote action starts, the user is signed off.

  1. Sign in to the Microsoft Endpoint Manager admin center, select Devices > All Devices > choose a Cloud PC device > Reprovision
  2. In the Reprovision box, select Yes. The reprovision process will begin.
Overview of the Cloud PC in Microsoft Intune

Note: Reprovisioning deletes the original Cloud PC, including all user data, applications, customizations, and so on.

5. Health checks

The health status of ANC is important throughout the provisioning and lifecycle of the Cloud PCs. In order for them to function properly, network connectivity and Active Directory resources need to be reachable. There are one time and periodic health checks:

  • The connection health between network-bases resources
  • The Cloud PC hosted in the Microsoft hosted subscription

6. Use Microsoft Remote Desktop for access

  1. Download the client: Download the Remote Desktop app from the Remote Desktop clients page. Select Get subscription URL.
Overview of connectivity options within the Windows 365 portal
  1. In Microsoft Remote Desktop, click on Add Workspace and paste the subscription url obtained from the previous step.
Screen to add a new workspace URL in Microsoft Remote Desktop
Add the URL as a new workspace within Microsoft Remote Desktop
  1. Enter Azure Active Directory credentials. When prompted for Multi-factor authentication, accept the request.
  2. The Cloud PC appears in the list, then double-click it to launch.

Conclusion

By following this comprehensive guide, you can now successfully implement Hybrid Microsoft Entra join for your Windows 365 Cloud PCs. This setup allows you to seamlessly integrate Cloud PCs with your on-premises Active Directory environment, providing end users with a familiar and secure workspace.

Whether you are aiming to deploy new virtual machines or convert existing ones, this solution offers flexibility and control, making it ideal for connecting virtual desktops to your existing infrastructure. With the integration thoroughly tested and verified, you can take full advantage of features such as Group Policies, local network resources, and other on-premises services to enhance productivity and maintain a consistent IT environment.

Windows 365 Cloud PC showing connectivity with the on-premises Active Directory
Settings app to verify that the Cloud PC joined Active Directory

Documentation

I am a Cloud Consultant at Rubicon. I have extensive experience working with various Microsoft Services, including Microsoft Azure, Azure DevOps, Microsoft PowerShell, and many more.