Before moving to Cloud-Native, let’s discuss the current phase where many organizations are possibly in at the moment. Entra Hybrid Joined state.
This is the most common state I’ve seen in the organizations. What usually starts out as a PILOT or a POC to test device identity in Entra Hybrid mode. But organizations are hardly moving away from this and rolling out a full-Entra Joined state to the devices. Entra Hybrid, Joined along with Microsoft Intune, is NOT Cloud-Native. It’s an interim state until Entra Join is introduced.
But orgs hardly plan for the next phase!
Why?
Legacy Applications, skills shortage, legacy connectivity models, legacy processes, and Shared drives are some of the major pushbacks that are in the wild. The above examples are screaming just one requirement – Line of Sight Access to AD. Either the devices are connected via VPN in remote offices or at home, or connected in the corporate network, so the devices will maintain connectivity to the AD for authentication. In 2025, this method is not the best or the most suitable solution, because people are mobile, they need connectivity and accessibility from anywhere, anytime, and people are no longer required to perform their work connected to a corporate network, and organizations will have to adapt accordingly.
A Few Wins and Drawbacks of Entra Hybrid Joined State
| Pros | Cons |
|---|---|
| You will get the first taste of cloud capabilities | Domain join with Windows Autopilot requires line-of-sight access to a DC |
| Entra will create the device identity, which can be used for CA Policies | Windows Autopilot for remote offices with no access to a DC can be a challenge, as you have to think about Always-ON VPNs |
| You’ll be able to use both GPOs and Intune policies, as well as ConfigMgr policies | Device objects move from a synching OU to a non-synching OU, will delete the device from Entra. Adding it back will be more administrative work to clean up and re-add. |
| Windows Autopilot can be tested | Administrative overhead of managing the device object in AD and the device identity in Entra |
| Device compliance policies can be set up | Managing possible policy conflicts between GPOs and Intune |
| More Security Policies can be implemented using Intune and Defender XDR | Hybrid Join feature is only available with Entra Connect Sync tool. If you are planning on moving to Entra Connect sync, this can be a blocker. |
| Entra ID SSO will be introduced to the device |
When talking about the cloud journey, we can’t forget EntraHybrid Joined state, but that’s not the end-all be-all situation. Building a strategy to eliminate the on-prem footprint and drafting a plan should be the next step, with a clear goal in mind.
Next Up
For the 3rd section, I want to discuss how to strategies and how to plan for the Entra Joined state, which is the Cloud-Native way, and adding the elements to it to maintain and enhance the user productivity.
Discover more from EMS Route
Subscribe to get the latest posts sent to your email.
