Hybrid Azure AD domains: Configure Azure AD and KACE Cloud to join devices

Administrators can use the following procedure to add devices to Azure AD hybrid domains.

To join devices to hybrid Azure AD domains:

  1. Ensure the following requirements are met:
    • Windows 10 version 1709 or later on the device.
    • Active Directory domain is integrated with Azure AD.
    • Azure Active Directory registration for the Windows device.
    • All devices belong to the same computer group.
  2. Ensure that an Active Azure AD subscription exists for the device.
  3. Link Azure to existing on-prem Active Directory domain.
  4. Integrate KACE Cloud with Azure. See SAML: Integrate with Microsoft Azure AD.
  5. Create an Active Directory group policy and set it up to join existing on-prem devices to KACE Cloud and Azure. See https://docs.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.
  6. Sign in to the device with the Azure AD account.

    IMPORTANT: The Azure AD Account must either be signed in to the enrollment API and have accepted Azure terms and conditions, or have been imported using the LDAP import tool.

    Common questions:

  7. Is it possible to join a Windows device to an on-prem domain through an MDM command?

    No. There is no MDM command available to join a device to an on-prem domain via KACE Cloud. However, we recommend using the SMA agent to join the domain. This is possible using a Windows provisioning package as a managed install. We recommend encrypting and signing provisioning packages.

  8. What about bulk enrolling devices into KACE Cloud?

    Windows provisioning packages offer functionality to enroll devices in KACE Cloud. These packages can be run using the SMA agent via a managed install to bulk enroll devices.

  9. What about customers with no Azure subscription?

    For customers with no Azure subscription who want to enroll in KACE Cloud, there are two options: The first is with the SMA agent, as mentioned above. The second is using traditional imaging deployments using the SDA. The SDA also supports provisioning packages, so an enrollment package could be set up as an SDA post install task to enroll new devices in KACE Cloud. We recommend encrypting and signing provisioning packages.

Common questions

  • Is it possible to join a Windows device to an on-prem domain through an MDM command?

    No. There is no MDM command available to join a device to an on-prem domain via KACE Cloud. However, we recommend using the SMA agent to join the domain. This is possible using a Windows provisioning package as a managed install. We recommend encrypting and signing provisioning packages.

  • What about bulk enrolling devices into KACE Cloud?

    Windows provisioning packages offer functionality to enroll devices in KACE Cloud. These packages can be run using the SMA agent via a managed install to bulk enroll devices.

  • What about customers with no Azure subscription?

    For customers with no Azure subscription who want to enroll in KACE Cloud, there are two options: The first is with the SMA agent, as mentioned above. The second is using traditional imaging deployments using the SDA. The SDA also supports provisioning packages, so an enrollment package could be set up as an SDA post install task to enroll new devices in KACE Cloud. We recommend encrypting and signing provisioning packages.