Entra ID join?
Posted by JanRied@reddit | sysadmin | View on Reddit | 19 comments
Hi Reddit Hive Mind,
I'm running a Windows Server 2022 setup, complete with MDT (Microsoft Deployment Toolkit) and WDS (Windows Deployment Services). The installation process went smoothly, but now I'm hoping to join an Entra ID automatically.
Ideally, I'd like the process to be completely automated, but I'm open to manually entering information if needed. Does anyone have suggestions on how I can achieve this?
OmnipotentBork@reddit
Skip hybrid if they are going to be full AAD and just join them to autopilot, you will tank yourself later.
BlackV@reddit
does autopilot support server ?
OmnipotentBork@reddit
no autopilot is for workstations you will need ARC for servers, or depending on configuration serverless.
BlackV@reddit
So autopilot isn't the solution for op as they're dealing with server
OmnipotentBork@reddit
did you not understand they are using PXE on server 2022 with WDS to image devices and want the workstation to be automatically joined during this process, they then stated the workstations will be all AAD and not hybrid, so skip WDS and use autopilot. server were mentioned as the imaging source not the desired outcome.
BlackV@reddit
Are they? I didn't see that anywhere
thewunderbar@reddit
This is the way.
Spirited-Check1139@reddit
You have to install the connector and type in your Admin Entra ID Details.
https://www.microsoft.com/en-us/download/details.aspx?id=47594
https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/whatis-azure-ad-connect
Fatel28@reddit
This will enable hybrid Entra joining but I think OP is asking for full Entra join
JanRied@reddit (OP)
I think yes i gonna need full Entra join if even possible?
Salamandro@reddit
So you have a full Windows AD domain with server resources like a fileserver and printserver etc.?
If you want to fully join devices to Entra ID and want these cloud joined devices to access onprem resources, you'll need a hybrid setup. Otherwise Kerberos etc. won't work.
And if you want to still use MDT for device deployment, you may want to look at how to integrate OSDCloud into MDT.
VerifiedPrick@reddit
Can't you just use Kerberos cloud trust to access on-prem resources from fully Entra joined devices?
OmnipotentBork@reddit
this is correct switching from KPI certs to kerberos will allow the AAD account to impersonate the on prem account if you have a sync, then fully aad managed devices can access on prem resources seamlessly as long as they are the same network.
Fatel28@reddit
You could do it with a provisioning package and powershell. You'll need to refresh the provisioning package every once and awhile but otherwise it's totally doable
JanRied@reddit (OP)
Yes this seems to be the only thing that could help 🕵️♂️
JanRied@reddit (OP)
Gonna take a look 👍
teriaavibes@reddit
No need to go far, it is just not supported.
What is a Microsoft Entra joined device? - Microsoft Entra ID | Microsoft Learn
bjc1960@reddit
We don't have AD, we are Entra ID only. I had to install Entra Domain Services and create some domain like AADDS.contso.com for the Server VMs in Azure. Needed to force a password change - users love that.
JanRied@reddit (OP)
Yeah we have a AD but the Entra ID is for the Homeoffice Clients