Architecture overview
This deployment configures a connection between Azure AD, the Intune service from Autopilot, and an AWS managed-Virtual Private Cloud (VPC) which holds the WorkSpaces being deployed. The following diagram shows the architecture, along with a list of items/resources required to deploy Intune to an AWS managed environment/service successfully:
EC2 instances for domain resources and AD connector for WorkSpaces authentication, and internet connectivity for Microsoft Azure Cloud
Table 1 — items and resources required to deploy Intune to an AWS managed environment/service successfully
| Number | Description |
|---|---|
|
1 |
Stand-alone Windows Server OS with Azure AD Connect and Intune Connector installed extending Azure Domain-join function to Amazon WorkSpaces, Hybrid AD Join, and enabling read and writeback to Windows AD Domain. (Optional component Microsoft SQL Server can run on another host, optional configuration for OU filtering.)
|
| 2 | Once Windows AD User and Security Group Objects are synchronized to Azure AD, assign Microsoft Licenses for (Intune/Office365) to Amazon WorkSpaces users Windows AD Security Group(s) (to simplify license assignment in Azure AD). MDM and MAM user scopes are enabled here. |
| 3 | Assign Microsoft MDM Group Policy to Amazon WorkSpaces Directory OUs that configures Hybrid Domain-join and prepares Amazon WorkSpace for Intune user credential-based enrollment. |
| 4 | Create the Autopilot Deployment profile for BYOL Windows 10 Amazon WorkSpaces for Hybrid joined devices that is assigned to the AD Security Group for Amazon WorkSpaces users. |
| 5 | User authenticates to Amazon WorkSpaces using Windows AD UPN that matches Azure AD UPN, initiating auto enrollment to Azure Hybrid AD join and Intune Autopilot. |
