UPDATE 14th June: An additional guide with more details about this can be seen here
I’ve talked to a lot of schools and system integrators about using AzureAD and Microsoft Intune to manage their devices more efficiently, particularly with the announcement in 2017 of the release of Intune for Education. One of the final pieces of the cloud puzzle has been released this month with the announcement of hybrid cloud printing with AzureAD joined devices.

An overview of how AzureAD Hybrid Print works
Here are some important links to get started:
From the official announcement:
Hybrid Cloud Print is built on top of the Windows Print Server role, so it supports traditional domain-joined devices in addition to Azure AD joined devices. Best of all, your existing printer management scripts, tools, reports, and procedures will continue to work as is. And it’s secured by Azure Active Directory, so you and your users still benefit from features like multi-factor authentication, identity protection and single sign-on (SSO).
My Thoughts:
This is an important step towards encouraging schools and system integrators to start using Mobile Device Management tools such as Intune in combination with AzureAD as the ability to deliver a cloud printing service remains a critical feature request from schools. With this announcement there are six new policy CSP in Intune to assist the hybrid cloud printing which enable the client device to know where the IIS service endpoints are and which Azure tenant information to authorize against.
It’s important to recognise that this remains a hybrid cloud solution as it still requires on-premise servers running Discovery Service and Windows Print Service via IIS endpoints. Here is a possible deployment:
The diagram shows:
- Hybrid Cloud Print using Azure Active Directory as the user identity provider.
- Windows Print service and Discovery service endpoints are registered with Azure Active Directory to enable the client device to retrieve the required user authentication token to use against these services.
- An MDM service, such as Microsoft Intune, provisions the client device with policies needed to connect Azure Active Directory to Windows Print service and Discovery service.
The school’s AzureAD subscription needs to be Premium (P1 or P2) (in New Zealand, this is included in the National Schools Agreement between Microsoft and the Ministry of Education) and provides a further compelling reason for organisations to base their identity on Azure AD.
Hi Sam, just exploring this whole cloud print space now. Although this looks like a step in the right direction from MS, this is not going to be attractive to smaller NZ schools until it can be detached from the requirement of needing local AD infrastructure. I would be interested if you know of any MS solution down this line of design.
Hi Dan
Yes, the future is all around AzureAD identity for printing and true cloud print queues.
Watch this space …. for a third party print solution already in play then check out http://www.printix.net
Cheers
Sam