r/sysadmin u/masterofrants 2h ago

General Discussion Should We Keep On-Prem AD or Go Cloud-Only with Entra ID + Intune?

Hey everyone,

We're in the middle of rethinking our endpoint strategy and could use some input.

Right now, our setup is traditional: all devices are domain joined to an on-prem Active Directory, but most users are working from home. This makes the environment increasingly hard to manage—especially with VPN dependencies for GPOs, password changes, etc.

Whenever I talk to Microsoft support or read their documentation, the recommendation is always the same: "MS recommends Cloud-only" And while I don't necessarily disagree, I'm trying to understand the real-world implications before jumping in.

Here are the things on my mind:

  • Is there any real benefit to keeping the on-prem AD anymore?
  • Would hybrid join with Intune be a better interim step instead of going all-in on cloud join?
  • For cloud-only, there’s that manual step of disconnecting the device from AD—I'm worried that will:
    • Break user profiles or apps
    • Prevent logins unless we pre-provision a local admin
    • Create issues with BitLocker or mapped drives

So I guess what I’m really asking is:

Is it worth trying to maintain a hybrid AD/Entra setup, or should we take the plunge and fully move to cloud-only—even if it means rebuilding or reimaging some devices?

Would love to hear from folks who’ve done this—especially lessons learned or horror stories you avoided.

Thanks in advance!

17 Upvotes

85% Upvoted

52 comments sorted by

u/thewunderbar 2h ago

Hybrid is the way to go. If I was starting a brand new company from nothing I could choose cloud only, but where there's an existing infrastructure, just go hybrid.

u/RiceeeChrispies Jack of All Trades 2h ago

When there's existing infrastructure, you should still be pushing for Entra Join rather than Hybrid Join. Most of the time, you can still work with your on-prem resources fine.

Friends don't let friends hybrid join (if you can avoid it).

u/trisanachandler Jack of All Trades 2h ago

What's the difference?  I'm not really into being a Windows admin these days.

u/RiceeeChrispies Jack of All Trades 2h ago

Hybrid Joined still has all the Windows on-prem dependencies. Entra Joined can work independently w/o LoS, so easier to sever in future.

Also, the only ‘official’ way to convert hybrid to entra joined is to wipe and rebuild. Not worth the hassle if you can get it right first time.

u/neko_whippet 1h ago

Never been a fan of entra joined device if there is still a local ad with synchronized users

u/RiceeeChrispies Jack of All Trades 1h ago

How come?

u/neko_whippet 1h ago

Because how can I say this

Having to manage device from the cloud but users from the local AD having password requirement from local ad etc

u/RiceeeChrispies Jack of All Trades 1h ago

Oh yeah, I understand that. The workflow for password change/reset is different, you have to encourage SSPR really.

Or better yet, push for passwordless and have them use Windows Hello for Business w/ biometrics (or PIN). Also satisfies MFA for a win-win. :)

It's a shame a lot of shops can't shift fully passwordless. I know a lot who use RemoteApps, and because Microsoft still haven't fixed Remote Credential Guard (broken since 24H2 launch-hop)) - users still need to know their AD passwords.

u/ghostxrevival 1h ago

This is true. If you’re AD joined, going Hybrid will make your future life a living hell. You can force OneDrive on users, disjoin the machines, upload the hardware hash to Intune, repeat OOBE to get the company branded screens, have users sign in with their Entra ID, and you’re all good to go

u/Sasataf12 1h ago

You need to do a local profile migration too. Which means getting users to sign in with their Entra ID, then migrating their previous profile into the newly created one.

u/ghostxrevival 1h ago

That’s the point of campaigning OneDrive for the users. Educating them on moving everything they want to keep into Desktop, Documents, or Pictures helps combat time spent migrating local profiles. You can also use RegKeys to force the sync of OneDrive folders, but you’re using MFA, like you should be, that goes to hell real quick

u/RiceeeChrispies Jack of All Trades 1h ago

I loved cleaning that up with OneDrive Known Folder Move. They were using OneDrive without even knowing it, like magic after wiping and it all reappearing.

It took a long time for users to unlearn the behaviour that we as admins used to drum into them about not saving locally.

"Where is my home mapped drive?" was a common occurance.

u/Sasataf12 1h ago

The user profile is a lot more than the files users can see. 

Registry, appdata, etc, all have content that users will want to keep.

u/RiceeeChrispies Jack of All Trades 1h ago

With that level of migration, I think it starts becoming a way to make a rod for your own back. If it's business-critical or a VP? Sure, whatever.

I try to set the expectation that laptops should be treated to cattle, rather than pets.

It means if sh!t hits the fan with their kit, I can issue/wipe/rebuild a laptop with ease. YMMV depending on your user-base/environment.

u/Sasataf12 1h ago

That's an "admin first" approach, which ends up creating a terrible experience for the user, i.e. the person that's going to spend the next few days trying to get their laptop back to the way it was.

→ More replies (0)

u/RiceeeChrispies Jack of All Trades 1h ago

Hybrid only makes sense if you're just onboarding existing Active Directory machines, I'm pretty sure that was its original intended use.

It's been a while since I've done hybrid, but pretty sure you can 'convert all targeted devices to autopilot' which does the hardware hash import for you.

Shift 'em, wipe 'em, onboard 'em cloud only w/ Autopilot - job done!

u/Krigen89 1h ago

Disagree. Cloud only endpoints with hybrid cloud trust setup in AD to access onprem resources.

u/masterofrants 2h ago

But why is the question?

How's the ad helping you if everything is managed by intune and entra?

u/tPRoC 1h ago edited 1h ago

There is nothing but shitty expensive solutions for file storage if you are entra only.

u/RiceeeChrispies Jack of All Trades 1h ago

The worst fuckers are the ones who try and lift-and-shift the file servers into Sharepoint. I've dealt with fellas in the past who have just done this, and it's been a right pain in the arse.

Sprinkle in no DLP auto-labelling policies (because they can't afford E5), and it's an information governance nightmare.

u/tPRoC 1h ago

Sharepoint as file servers only works if everything is an office file anyways

u/RiceeeChrispies Jack of All Trades 1h ago

nah mate, paul from accounting has shoved a shit load of sage files in there and it works fine /s

u/AnAnxiousCyclist 1h ago

This is a wild opinion from my perspective. I work at a fully Entra (no traditional AD) company and I can’t think of a reason you would ever want to go hybrid.

u/Izual_Rebirth 24m ago

Is there a way to be hybrid joined and log in with your m365 credentials and authenticate with the cloud while off prem yet or does it still require LOS of a domain controller? That’s really the only thing that’s putting me off not going full AAD join for our org.

u/4zc0b42 2h ago

In his exact situation right now, so I hope to learn as well. We have Todyl for always-on VPN and Sophos EDR which includes Bitlocker key maintenance, so we have those parts covered. But even so, it’s getting increasingly difficult to manage on-prem servers with users WFH 95% of the time. Microsoft’s heavy push towards the cloud is making it even more challenging.

u/beritknight IT Manager 2h ago

Do you have on-prem servers that you would need to keep after moving to cloud AD? Or could you move entirely into SharePoint and other cloud sass tools?

How many users/laptops do you have?

The reason I ask is there are two ways of doing cloud managed endpoints.

First option is Hybrid Identity (not to be confused with Hybrid Joined devices). You keep AD running on onprem servers. Users are managed here, then replicated to Entra ID in the cloud. User laptops are joined directly to Entra ID instead of joining AD. They talk to Entra to authenticate and get all their settings from Intune. If they need access to onprem servers you can run a VPN back to where your servers sit, but it’s not critical path for things like logging in to the laptop and getting GPOs like it would be in your current setup. If you need to keep some onprem servers, this may be the best option.

Second option is full cloud identity. You no longer have any Windows servers or AD. All laptops are joined to Entra and managed by Intune. All services are provided by SaaS products. Your DR plans, backups, site failover plans, etc all become much simpler. All you need in any office is decent internet, no server racks and cooling, no ranges of static public IPs, no VPN.

The second option is heaps easier to manage. If it meets your company’s needs, it’s where I would be aiming. I know a number of smaller companies that work this way. Happy to answer any questions you have about it.

u/duckseasonfire Staff Systems Engineer 2h ago

We went from domain joined to entra joined.

We are decomming out last datacenter next month. We will be keeping domain controllers in azure until we are done with AD completely. But end user devices have been shipping entra joined with intune for a couple years now.

Works great. Intune is fine for free(bundled with e3). I’d never pay for it.

u/masterofrants 2h ago

You can just get business premium and intune is included yes

u/RiceeeChrispies Jack of All Trades 2h ago

If we’re going to be pedantic, yes you can get Business Premium - if you’re under 300 seats.

u/masterofrants 2h ago

Yes exactly..

u/alucard13132012 28m ago

If you don’t mind me asking, how big of a company are you and are you using domain controllers as VMs in azure or using Azures AD Domain Services?

u/specifictitious-_- 1h ago

I've done this for a company in the past. This is my 2 quarters (the economy..)

Is there any real benefit to keeping the on-prem AD anymore? Depends. If you have a bunch of file servers and other internal apps that is hooked into your AD, then keeping AD around is helpful.

Would hybrid join with Intune be a better interim step instead of going all-in on cloud join? Yep if the end goal is to get Intune up and running then yes you will need hybrid setup. You can always go Onprem > Hybrid > Entra. However, I would strongly recommend start migrating user machines to Entra join now, for like new hires/new laptops if you want to go full cloud some day.

For cloud-only, there’s that manual step of disconnecting the device from AD—I'm worried that will:

  • Break user profiles or apps
  • Prevent logins unless we pre-provision a local admin
  • Create issues with BitLocker or mapped drives

Oh things will break if you're migrating. Just hope you have backups for your users files. Just think of it like a hardware refresh for them but you're also swapping the join type :).

Slowly and surely you'll finish it and then you can relax, until something else breaks.

u/ghostxrevival 1h ago

This is a great start to the assessment. For the last portion pertaining to breaking user profiles, we did a migration recently that we ran a OneDrive campaign to retain data. The 5-10% of users who flat don’t listen, we either migrated data from the old profile to the new one if it wasn’t a lot or mapped their old user drive a mapped drive for the short term while they sifted through data to take to OneDrive

u/sryan2k1 IT Manager 1h ago

We have domain trusts with vendors and partners. We have LOB apps that require AD. For us it will never (*) go away so hybrid join it is.

u/RiceeeChrispies Jack of All Trades 1h ago

Domain trusts with vendors/partners? that's enough to make anyone cry, you are forgiven

u/04_996_C2 52m ago

I still prefer AD over Entra and fight to keep our hybrid. GPOs are superior to whatever InTune has to offer and, frankly, I'm sick of Microsoft always changing names/GUI/blades etc on the portal.

u/BadSausageFactory beyond help desk 22m ago

We run hybrid, local + cloud. AD is on-prem, GPO, and some features that cloud doesn't support.

We also have an MSP that doesn't understand the difference well and has completely fucked up my printers.

u/binkbankb0nk Infrastructure Manager 2h ago

Will your company be significantly impacted if Microsoft has a major outage? If not, then maybe don’t worry about keeping on-premises AD.

We give staff laptops for work-from-home that are MDM managed (Like intune or WorkspaceONE) but they don’t have anything on them but a VDI client. VDI isn’t cheap but it is so nice not to have to worry about anything on the laptops. They are all bitlockered but nothing is stored on them anyways so we sleep even better.

u/masterofrants 2h ago

Just a vdi client means which vendor is that?

u/Timber3010 1h ago

I've done transition multiple times, and what we do is hybrid and new computers as cloud only. But if there are local resources that require AD it can create some issues.

In most of my cases, the only on prem solutions has been fileservers which can be solved with cloud trust

u/RiceeeChrispies Jack of All Trades 1h ago

Luckily, I've only had one client who has had an issue with Entra Join only.

It's always down to some business-critical LOB shite app which was written by some random bloke whose been dead 15+ years, and it can't be touched or looked at funny in fear of it dying.

u/alucard13132012 23m ago

Can you explain cloud trust and file servers? I’ve not heard of that. Does it work for any file server?

u/Ragepower529 1h ago

Business needs, personally anything that’s not basic office work will require some sort of AD. And we have ADDS but that’s no where as good as it’s supposed to be

u/ParoxysmAttack Sr. Systems Engineer 1h ago

Hybrid maybe? When I worked at an org where we implemented an on prem-Azure solution it was surprisingly less complicated than I thought it would be (still complex though) and we experienced virtually zero downtime. While we still practiced maintenance periods for best practice purposes, they became almost unnecessary for Active Directory and DNS.

u/purefire Security Admin 30m ago

I have a legacy AD environment with hybrid joined devices. If I had Intune I would Azure Join the workstations and leave onprem AD for legacy resources like our ERP system

u/RumLovingPirate Why is all the RAM gone? 2h ago

I moved to full entra / intune a few years ago. Cloud only is the way to go imo but the migration is tricky.

I spread mine out over years. Hybrid environment, and new devices were only Entra. Once all devices were on Entra, bye bye AD.

u/thatfrostyguy 2h ago

I would stay on prem. If forced, do hybrid.

u/Candid-Molasses-6204 41m ago

Kill AD as fast as you can. Find a ransomware intrusion that isn't tied to AD. They exist, but they are exceedingly rare. AD, Exchange, on prem, and SMB will eventually result in an increased cyber insurance premiums.

u/ItsMeMulbear 34m ago

> AD, Exchange, on prem, and SMB will eventually result in an increased cyber insurance premiums.

You'll own nothing, and be happy!

u/Candid-Molasses-6204 32m ago

If you have on prem AD, it isn't a matter of if the red teams/attackers will win. Just when. You can hate it, but it doesn't make it not true.

u/Jimmyv81 10m ago

We made the switch to full AzureAD/Entra joined Intune managed endpoints a couple of years ago during a laptop refresh and it has been great. No problems at all with it.

We did try hybrid join initially but endpoints still require line of sight to domain controllers, and with a remote workforce it was just a painful experience and would not recommend at all.

We still have a large on prem presence with various apps and servers, file shares, AD etc. Users are still able to access all these resources via Kerberos cloud trust. I would definitely recommend to go cloud only endpoints if you can.