2023-12-09: This page has been updated to reflect the renaming of Azure AD to Entra ID:
Azure AD is Becoming Microsoft Entra ID - Microsoft Community Hub
This question is asked more than any other in the community, and this page aims to cover some common myths/misconceptions around the main reasons many people believe their devices need to continue to be Hybrid Joined.
The word "Hybrid" is often used interchangably within discussions around Active Directory/Entra ID/Intune, but there are two key differences:
Hybrid Identity is the technology that underpins almost all of the infrastructure to support an On-Premise + Microsoft Cloud environment. It is 100% required if running in this scenario and is not in question.
With the use and configuration of Entra ID Connect, an on-premise account and its authentication method is synced to Entra ID. This can extend on-premise accounts into the cloud and enable single-sign on capability across cloud services.
More Info:
Entra Hybrid Join for devices is the actual technology being discussed below.
1:
We need to be Hybrid to access file-shares on-prem!
Assuming Hybrid Identity is configured appropriately through Entra ID Connect, a user account accessing a file-share via a fully cloud-native device will be able to access the share in exactly the same way as a domain-joined device would.
You would still need line-of-sight to the server either physically or via a VPN.
2:
We have ConfigMgr and need to be Hybrid to do keep using it!
Using co-management via cloud attach and a Cloud Management Gateway (CMG), you can continue to use your on-premise infrastructure to deploy policies, applications and updates to endpoints.
3:
We've got legacy apps that need us to be Hybrid!
Unless the application uses device-based authentication (which is not common or a recommended practice), a cloud-native device would be able to access a web or thick-client app in the same way a domain-joined device would.
You would still need line-of-sight to the server either physically or via a VPN.
Consider publishing internal web apps through Entra ID Application Proxy and SaaS versions of your software which can integrate with Entra ID.
4:
We have to be Hybrid as we use RADIUS/802.1x!
This is a valid reason to require MEHJ as it requires device authentication, however to take a cloud-first mindset, you should investigate ways to transition away from using this, such as utilising user or certificate-based auth, third-party integrations, or removing the requirement entirely.
5:
Devices are only secure if they're domain joined!
This is incredibly outdated thinking and your infrastructure is likely weak in other areas, which may lead to a serious breach.
Begin to review guidance on Zero Trust identity and device access concepts and pivot thinking around security and risk.
Source: Enrollment for Microsoft Entra Hybrid Joined devices - Windows Autopilot | Microsoft Learn
There is no supported migration path from Hybrid Joined Devices to Cloud Native Devices that doesn't potentially compromise the device in a way that could cause significant issues in the future and be almost impossible to diagnose. The device should be wiped/reset and brought into being Cloud Native via Autopilot either via attrition (user leaver/joiner process) or defined projects to bring devices into Modern Management.
There is no pressure to do this within a defined timescale. Your existing on-premise infrastructure will continue to manage those devices.