Hybrid Track

This is suitable for organisations where Windows 10/11 devices can be deployed and managed in the NHSmail Intune but need to remain domain-joined with a local Active Directory. The Hybrid Track is recommended to organisations with:

  • Strong reliance on On-Premises resources
  • Complex AD Group policy with device targeting
  • Applications and resources requiring an AD-only device identity authentication

For organisations finding the Cloud Track prohibitive, the Hybrid Track offers an interim solution enabling organisations to adopt the cloud benefits whilst maintaining the on-premises connectivity. This allows the option to progress with an AAD-joined device and Cloud adoption simultaneously.

Please note

To manage devices via any of the Windows 10/11 tracks, your organisation must be onboarded to the NHSmail Intune Service.

Organisations who have not already onboarded to the NHSmail Intune Service are required to register using the Intune Registration Form.

Benefits

ü Device identity managed in nhs.net Azure AD

ü Augmented access to resources in the organisation’s on-premises Active Directory 

ü Microsoft Intune & Co-management with SCCM

ü Org AD Users / (Hybrid-joined) Devices synchronised to NHS.net AAD

ü Windows Autopilot builds for AAD-joined devices

ü Enhanced access to Cloud and existing on-premises resources for AAD-Joined devices such as printing, storage, Active Directory and more.

 

The architecture for the Hybrid track is illustrated in the following thumbnail. Please click to enlarge the view.

 

Hybrid Track Setup  

This section explains the technical steps to be implemented for the Hybrid Track.

A Service Request is to be raised by an organisation wanting to onboard Windows 10 /11 devices via the Hybrid Track.

  • Organisations are required to carry out several pre-requisite activities before they raise the Service Request.
  • Organisations are required to carry out several provisioning activities after they raise the Service Request.

Pre-requisite Activities  

The following process flow outlines the pre-requisite activities to be completed by each organisation. Please click to enlarge the view

 

 

Local Administrators will be required to confirm that the pre-requisite activities have been completed before the Service Request can be submitted. The declaration questions are below:

  • Has your organisation onboarded to NHSmail Intune?
  • Is TANSync, BDS Solution or Microsoft Identity Manager (MIM) in place at your organisation?
  • Is Same Sign On configured at your organisation?
  • Is there a dedicated Domain Controller configured for use as part of the Cloud + SSO Track and Hybrid Track setup?
  • Which setup are you planning to implement?

The below table outlines the pre-requisite activities in more detail. Please ensure that each activity is properly assessed, and necessary actions planned. If a Service Request is raised and one or more of the pre-requisite activities is not complete, the Service Request will be closed, and the LA will be directed to re-submit once they are in place.

Pre-Requisite Activity  Detail  Owner 
Configure / check custom identity solution 

(i.e., TanSync / MIM / BDS) 

Description

There is a requirement for a custom identity solution to support user provisioning via the NHSmail Portal and API. TANSync is an Identity Management Solution provided by NHSmail which enables organisations to synchronise local people identities and contacts with the NHSmail API.

Impact 

If not enabled prior to the adoption of the Hybrid SyncEngine, synchronization of objects and identities to Azure AD Nhs.net will not take place.

What action do I need to take?

There is a dedicated team that supports Tansync configuration. LA’s are responsible to engage the support team to complete this pre-requisite.

Guidance for Tansync and connector can be found in Tansync and Connectors – NHSmail Support

Other synchronisation tools can be used such as MIM / BDS.

Organisation
Configure / check Same Sign On  Description

Ensure the Same Sign On solution is enabled for your organisation to provide simple password management for users by ensuring the bi-directional synchronisation of passwords between NHSmail and your organisations local active directory.

Impact 

If the Same Sign On solution is not configured prior to the Hybrid onboarding, it will prevent the:

  • Ability to use the same password when accessing local workstations, NHSmail services, applications using NHSmail single sign on and Azure Active Directory
  • Application of a single Password Policy for both NHSmail and Local AD
  • Alignment of password expiry dates between NHSmail and Local AD

What action do I need to take?

There is a dedicated team that supports Same Sign On configuration. LA’s are responsible to engage the support team to complete this pre-requisite.

General Guidance for SSO found in the Same Sign On Onboarding Guide

Organisation
Stand up a Dedicated AD Domain Controller (DC)  Description 

A specific DC is required to allow Hybrid operations. A server must be built with global catalogue and infrastructure master roles in readiness for connectivity to a secure edge/VLAN.

Impact 

Without the DC pre-provisioned, Hybrid Setup will be delayed due to replication and presentation issues. Once the Service Request is raised, the DC connectivity steps will be shared by the Intune Live Service Team.

What action do I need to take?

Each organisation is responsible for provisioning a server or VM to host the DC roles and ensure that the DC can replicate roles and directory functions within the organisations domain/forest.

Organisation
Please note

The prerequisite activities for the Hybrid track and Cloud + SSO track are the same.

Once the pre-requisite activities have been completed, please progress to reviewing the provisioning activities and completing the Service Request.

Please note

To raise a Cloud + SSO Track Service Request, please follow the below steps.

1) Navigate to Helpdesk Self Service
2) Click ‘Raise a Request’
3) Navigate to the ‘Intune Service Request’ Tile
4) Complete the mandatory fields and then select ‘Request for Cloud + SSO Track and Hybrid Track’
5) Complete the remaining fields and submit

Provisioning Activities  

The following process flow outlines high-level provisioning activities that must be completed. Please click to enlarge the view

 

Guidance will be provided by the Intune Live Service Team for each activity, however, please ensure your organisation has the correct technical resources available to action the following high-level activities.

Provisioning Activity  Description  Owner 
Configure and validate VPN Connectivity and firewall rules   Local Administrators should configure a VPN appliance to provide a tunnel endpoint for the Hybrid Connectivity infrastructure and ensure that the required ports are open for key protocols. Organisation
Configure Hybrid VLAN and DC IP   Based on the information disclosed in the Cloud + SSO Track and Hybrid Track Service Request, the Local Administrator should configure an Edge or DMZ VLAN to host the Domain controller and allocate an IP for that host. Organisation
Validate Internal Active Directory Replication with Hybrid Domain Controller   Once presented to the Edge VLAN, the Domain Controller should be validated for internal domain consistency and directory replication. Organisation
For Hybrid Device – Add Devices to Hybrid-Join OU Scope   Local Administrators will add devices to a specified OU to enable Hybrid Device functionality. Organisation
Add DNS Conditional Forwarder   Local Administrators will add the NHSmail DNS resolvers to existing AD DNS servers to enable DNS query forwarding. Organisation and Intune Live Service Team
Add Forest Trust for Local Org   Local Administrators will work with NHSmail Live Service Team to enable an External Forest Trust from their AD to the Hybrid AD infrastructure. Organisation and Intune Live Service Team
Add SyncEngine Account Delegation for Local Org AD OU’s  Local Administrators will provide an AD Delegation via the forest trust to support the LDAP functionality of the solution. Organisation and Intune Live Service Team
Test end-to-end Functions   Local Administrators will work with the Hybrid Infrastructure provisioning teams to validate the end-to-end functions, including connectivity, devices, and users. Organisation and Intune Live Service Team
Please note

Provisioning activities for the Hybrid track and Cloud + SSO track are the same.

Updated on 12/05/2022
Need Support?
Can’t find the answer you’re looking for? Don’t worry we’re here to help!
Contact Support
back to top