Security

We have a mixture of AAD joined and Hybrid joined machines in our environment.  We already have a service created for the hybrid joined machines, but what is the best way to create another service for the AAD joined machines?

https://www.youtube.com/watch?v=MlcrqTDDufU

We have a mixture of AAD joined and Hybrid joined machines in our environment.  We already have a service created for the hybrid joined machines, but what is the best way to create another service for the AAD joined machines?

Thanks for the link.  Sorry I did not make myself clear, but I am looking for help around attributes to use in the Service rule to catch the request from AAD joined machine.

https://www.youtube.com/watch?v=MlcrqTDDufU

We have a mixture of AAD joined and Hybrid joined machines in our environment.  We already have a service created for the hybrid joined machines, but what is the best way to create another service for the AAD joined machines?

What works for me is to catch the computer Authentication for Entra ID/Intune machines with the following service match:

Then the user with a match on your Entra ID domain, which in general is different from your on premise AD domain:

Put these service above your on-premises AD Service. Or match on your on-premise AD user names and let the Entra ID users fall through to services below.

Thanks for the link.  Sorry I did not make myself clear, but I am looking for help around attributes to use in the Service rule to catch the request from AAD joined machine.

https://www.youtube.com/watch?v=MlcrqTDDufU

We have a mixture of AAD joined and Hybrid joined machines in our environment.  We already have a service created for the hybrid joined machines, but what is the best way to create another service for the AAD joined machines?

Heman - Thank you for your response.  You have definitely provided us with some ideas.  Unfortunately, our on-prem AD domain and Entra ID domain are the same.  So, what we are considering is doing some sort of prefix or suffix with the hostname to identify the AADJ machine.  The question is what condition (Type and Name) in the Service Rule to catch/match the hostname from request.  Thanks.

What works for me is to catch the computer Authentication for Entra ID/Intune machines with the following service match:

Then the user with a match on your Entra ID domain, which in general is different from your on premise AD domain:

Put these service above your on-premises AD Service. Or match on your on-premise AD user names and let the Entra ID users fall through to services below.

Thanks for the link.  Sorry I did not make myself clear, but I am looking for help around attributes to use in the Service rule to catch the request from AAD joined machine.

https://www.youtube.com/watch?v=MlcrqTDDufU

We have a mixture of AAD joined and Hybrid joined machines in our environment.  We already have a service created for the hybrid joined machines, but what is the best way to create another service for the AAD joined machines?

Are your AD clients Hybrid joined? If so, you should be able to just use Entra ID.

Heman - Thank you for your response.  You have definitely provided us with some ideas.  Unfortunately, our on-prem AD domain and Entra ID domain are the same.  So, what we are considering is doing some sort of prefix or suffix with the hostname to identify the AADJ machine.  The question is what condition (Type and Name) in the Service Rule to catch/match the hostname from request.  Thanks.

What works for me is to catch the computer Authentication for Entra ID/Intune machines with the following service match:

Then the user with a match on your Entra ID domain, which in general is different from your on premise AD domain:

Put these service above your on-premises AD Service. Or match on your on-premise AD user names and let the Entra ID users fall through to services below.

Thanks for the link.  Sorry I did not make myself clear, but I am looking for help around attributes to use in the Service rule to catch the request from AAD joined machine.

https://www.youtube.com/watch?v=MlcrqTDDufU

We have a mixture of AAD joined and Hybrid joined machines in our environment.  We already have a service created for the hybrid joined machines, but what is the best way to create another service for the AAD joined machines?

Unfortunately, we have a mixture of AAD joined and hybrid joined machines and that's the reason for 2 Services.  It is my understanding that I cannot combine the 2 Services since the Authentication Sources under Authentication has to be empty (see below) or the AAD joined machine authentication will fail. 

Are your AD clients Hybrid joined? If so, you should be able to just use Entra ID.

Heman - Thank you for your response.  You have definitely provided us with some ideas.  Unfortunately, our on-prem AD domain and Entra ID domain are the same.  So, what we are considering is doing some sort of prefix or suffix with the hostname to identify the AADJ machine.  The question is what condition (Type and Name) in the Service Rule to catch/match the hostname from request.  Thanks.

What works for me is to catch the computer Authentication for Entra ID/Intune machines with the following service match:

Then the user with a match on your Entra ID domain, which in general is different from your on premise AD domain:

Put these service above your on-premises AD Service. Or match on your on-premise AD user names and let the Entra ID users fall through to services below.

Thanks for the link.  Sorry I did not make myself clear, but I am looking for help around attributes to use in the Service rule to catch the request from AAD joined machine.

https://www.youtube.com/watch?v=MlcrqTDDufU

We have a mixture of AAD joined and Hybrid joined machines in our environment.  We already have a service created for the hybrid joined machines, but what is the best way to create another service for the AAD joined machines?