I’ve had lots of conversations with customers about Hybrid Azure AD Join, as it’s used as part of a key Windows Autopilot scenario.  But it seems this leads to a bunch of odd conversations because people hear the word “hybrid” and their minds go in different directions.  Here’s some examples:

Q: Have you tried Hybrid Azure AD Join
A: Yes, we have some of our ConfigMgr clients enrolled in Intune too.

Hmm, I think you’re really talking about co-management here, and that’s not required for Hybrid Azure AD Join.

Q: Have you tried Hybrid Azure AD Join?
A: No, we’re waiting for our Global Administrators so that we can finish the CMG setup.

Um, you don’t need a CMG to do Hybrid Azure AD Join.

Q: Have you tried Hybrid Azure AD Join?
A: No, we’re not using Windows Autopilot

Well, you can do Hybrid Azure AD Join for your existing Windows 10 devices, even if they were already deployed.

So let’s review a few terms:

• Hybrid Azure AD Join.  Very simply, this is an Active Directory-joined device that has also been registered with Azure AD so that the user can get an Azure AD user token for single sign-on to cloud-based services, participate in conditional access, etc.  See the documentation for more details.
• Co-management.  When a device is being managed by both ConfigMgr and Intune, working cooperatively, it is considered to be in a “co-managed” state.  As Brad Anderson discussed, co-management is more than just having two agents on the box – saying this is “hybrid” management sells this short.  To set this up, review the co-management docs.
• Cloud management gateway.  For devices that are managed by ConfigMgr, the cloud management gateway provides connectivity back to ConfigMgr site servers (e.g. MP, SUP), as well as functioning as a cloud distribution point (content stored in Azure storage).  This is useful in many scenarios, including Hybrid Azure AD Join, Azure AD Join, or co-management, but it’s not required for any of these scenarios.  To implement a CMG, check out the ConfigMgr documentation.
• Windows Autopilot user-driven mode for Hybrid Azure AD Join.  This involves deploying the device using Windows Autopilot, joining the device to Azure AD, and enrolling the device in Intune.  It does require Hybrid Azure AD Join, but it does not require co-management or a CMG (but could leverage both). 

So you can see that there are some relationships between these, and I’m all for customers implementing all of these.  But keep them clear and understand the dependencies:

If you want to use Windows Autopilot user-driven mode for Hybrid Azure AD Join:

• You must have set up Hybrid Azure AD Join.
• Co-management and CMG are optional.
• Understand that you should make sure Hybrid Azure AD Join is working properly for an existing AD-joined device before you try to add Windows Autopilot into the process.

If you want to do co-management:

• You must have set up Hybrid Azure AD Join for Active Directory-joined devices being managed by ConfigMgr.
• You do not need Hybrid Azure AD Join if all of your devices are joined to Azure AD.
• CMG is optional.
• Understand that co-management works with Azure AD Join (where typically Intune installs the ConfigMgr agent) or AD join (where ConfigMgr comes first and then the device completes the Hybrid Azure AD Join process and enrolls in Intune).

If you want to use Hybrid Azure AD Join:

• Co-management, CMG, and Windows Autopilot are optional – you would implement this to get the benefits described above.

If you want a CMG:

• It’s always optional, but works really well for AD-joined or Azure AD-joined devices that are managed by ConfigMgr and roam off of the corporate network (internet-connected).