This is suitable for organisations where Windows 10/11 devices can be deployed and managed in the NHSmail Intune but need to remain domain-joined with a local Active Directory. The Hybrid Track is recommended to organisations with:
- Strong reliance on On-Premises resources
- Complex AD Group policy with device targeting
- Applications and resources requiring an AD-only device identity authentication
For organisations finding the Cloud Track prohibitive, the Hybrid Track offers an interim solution enabling organisations to adopt the cloud benefits whilst maintaining the on-premises connectivity. This allows the option to progress with an AAD-joined device and Cloud adoption simultaneously.
ü Device identity managed in nhs.net Azure AD
ü Augmented access to resources in the organisation’s on-premises Active Directory
ü Microsoft Intune & Co-management with SCCM
ü Org AD Users / (Hybrid-joined) Devices synchronised to NHS.net AAD
ü Windows Autopilot builds for AAD-joined devices
ü Enhanced access to Cloud and existing on-premises resources for AAD-Joined devices such as printing, storage, Active Directory and more.
The architecture for the Hybrid track is illustrated in the following thumbnail. Please click to enlarge the view.
Hybrid Track Setup
This section explains the technical steps to be implemented for the Hybrid Track.
A Service Request is to be raised by an organisation wanting to onboard Windows 10 /11 devices via the Hybrid Track.
- Organisations are required to carry out several pre-requisite activities before they raise the Service Request.
- Organisations are required to carry out several provisioning activities after they raise the Service Request.
The following process flow outlines the pre-requisite activities to be completed by each organisation. Please click to enlarge the view
Local Administrators will be required to confirm that the pre-requisite activities have been completed before the Service Request can be submitted. The declaration questions are below:
- Has your organisation onboarded to NHSmail Intune?
- Is TANSync, BDS Solution or Microsoft Identity Manager (MIM) in place at your organisation?
- Is Same Sign On configured at your organisation?
- Is there a dedicated Domain Controller configured for use as part of the Cloud + Same Sign On Track and Hybrid Track setup?
- Which setup are you planning to implement?
The below table outlines the pre-requisite activities in more detail. Please ensure that each activity is properly assessed, and necessary actions planned. If a Service Request is raised and one or more of the pre-requisite activities is not complete, the Service Request will be closed, and the LA will be directed to re-submit once they are in place.
|Configure / check custom identity solution
(i.e., TanSync / MIM / BDS)
There is a requirement for a custom identity solution to support user provisioning via the NHSmail Portal and API. TANSync is an Identity Management Solution provided by NHSmail which enables organisations to synchronise local people identities and contacts with the NHSmail API.
If not enabled prior to the adoption of the Hybrid SyncEngine, synchronization of objects and identities to Azure AD Nhs.net will not take place.
What action do I need to take?
There is a dedicated team that supports Tansync configuration. LA’s are responsible to engage the support team to complete this pre-requisite.
Guidance for Tansync and connector can be found in Tansync and Connectors – NHSmail Support
Other synchronisation tools can be used such as MIM / BDS.
|Configure / check Same Sign On||Description
Ensure the Same Sign On solution is enabled for your organisation to provide simple password management for users by ensuring the bi-directional synchronisation of passwords between NHSmail and your organisations local active directory.
If the Same Sign On solution is not configured prior to the Hybrid onboarding, it will prevent the:
What action do I need to take?
There is a dedicated team that supports Same Sign On configuration. LA’s are responsible to engage the support team to complete this pre-requisite.
General Guidance for Same Sign On found in the Same Sign On Onboarding Guide
|Stand up a Dedicated AD Domain Controller (DC)||Description
A specific DC is required to allow Hybrid operations. A server must be built with global catalogue and infrastructure master roles in readiness for connectivity to a secure edge/VLAN.
Without the DC pre-provisioned, Hybrid Setup will be delayed due to replication and presentation issues. Once the Service Request is raised, the DC connectivity steps will be shared by the Intune Live Service Team.
What action do I need to take?
Each organisation is responsible for provisioning a server or VM to host the DC roles and ensure that the DC can replicate roles and directory functions within the organisations domain/forest.
Once the pre-requisite activities have been completed, please progress to reviewing the provisioning activities and completing the Service Request.
The following process flow outlines high-level provisioning activities that must be completed. Please click to enlarge the view
Guidance will be provided by the Intune Live Service Team for each activity, however, please ensure your organisation has the correct technical resources available to action the following high-level activities.
|Configure and validate VPN Connectivity and firewall rules||Local Administrators should configure a VPN appliance to provide a tunnel endpoint for the Hybrid Connectivity infrastructure and ensure that the required ports are open for key protocols.||Organisation|
|Configure Hybrid VLAN and DC IP||Based on the information disclosed in the Cloud + Same Sign On Track and Hybrid Track Service Request, the Local Administrator should configure an Edge or DMZ VLAN to host the Domain controller and allocate an IP for that host.||Organisation|
|Validate Internal Active Directory Replication with Hybrid Domain Controller||Once presented to the Edge VLAN, the Domain Controller should be validated for internal domain consistency and directory replication.||Organisation|
|For Hybrid Device – Add Devices to Hybrid-Join OU Scope||Local Administrators will add devices to a specified OU to enable Hybrid Device functionality.||Organisation|
|Add DNS Conditional Forwarder||Local Administrators will add the NHSmail DNS resolvers to existing AD DNS servers to enable DNS query forwarding.||Organisation and Intune Live Service Team|
|Add Forest Trust for Local Org||Local Administrators will work with NHSmail Live Service Team to enable an External Forest Trust from their AD to the Hybrid AD infrastructure.||Organisation and Intune Live Service Team|
|Add SyncEngine Account Delegation for Local Org AD OU’s||Local Administrators will provide an AD Delegation via the forest trust to support the LDAP functionality of the solution.||Organisation and Intune Live Service Team|
|Test end-to-end Functions||Local Administrators will work with the Hybrid Infrastructure provisioning teams to validate the end-to-end functions, including connectivity, devices, and users.||Organisation and Intune Live Service Team|
|Last Reviewed Date||10/01/2023|