We have a domain with domain sync up to AAD, which works great, but we aren’t syncing back down from AAD to AD.
We still have some local resources we need (print servers, file shares, etc.) so I can’t go 100% AAD joined… or can I?
What’s the best way to set up new PCs knowing we have M365BP and successful one-way sync from AD to AAD? If I could have people log in with their AAD accounts (including modern auth/Windows Hello, etc.) I’d love it, as long as they could still access legacy services on-site until we resolve them.
I had to set up a specific group in AD for Intune and then told Intune to use that group.
Then I had to elevate the users to local admin, and use manage account to enroll each device in MDM. After enrolled I could change the user back to regular user.
Be very careful reassigning intune registered devices to new users down the line. If you don’t unenroll properly you can goof the computer up to a point where you have to set it back to factory. That happened twice to me.
We’ve been running hybrid for a couple years, and this last year we started deploying some laptops as pure AAD managed. A couple ideas to help with printing and local file shares:
Universal Print - Set up a “print connector” server to proxy between your printers and AAD, and future printers and firmware updates will allow printers to register directly to AAD. This also lets users print from anywhere. Main downside is that the Universal Print driver only allows access to basic features (color, staple, but not folding or booklet making), but for most users that may be all they need.
Move local shares to Teams/SharePoint sites - The OneDrive sync client can now sync individual files up to 250GB in size, supports differential sync (sync only the part of a file that changed), and supports “files on demand” (only sync a file when the user tries to open it). May not work well for your media department’s terabytes of video files, but for most departments it is a great replacement.
Set up Windows Autopilot so that new and existing devices can automatically pull down their configuration on first boot/Windows setup. You can set up Autopilot to deploy devices as pure AAD or as a hybrid device. (when we reassign a device, we do an “autopilot reset” from Intune, which avoids some of the issues K Papalia mentioned)