Hybrid Cloud Printing Via AzureAD Is Here

UPDATE 14th June: An additional guide with more details about this can be seen here

I’ve talked to a lot of schools and system integrators about using AzureAD and Microsoft Intune to manage their devices more efficiently, particularly with the announcement in 2017 of the release of Intune for Education. One of the final pieces of the cloud puzzle has been released this month with the announcement of hybrid cloud printing with AzureAD joined devices.

cloud print 1.jpg

An overview of how AzureAD Hybrid Print works

Here are some important links to get started:

From the official announcement:

Hybrid Cloud Print is built on top of the Windows Print Server role, so it supports traditional domain-joined devices in addition to Azure AD joined devices. Best of all, your existing printer management scripts, tools, reports, and procedures will continue to work as is. And it’s secured by Azure Active Directory, so you and your users still benefit from features like multi-factor authentication, identity protection and single sign-on (SSO).

My Thoughts:

This is an important step towards encouraging schools and system integrators to start using Mobile Device Management tools such as Intune in combination with AzureAD as the ability to deliver a cloud printing service remains a critical feature request from schools. With this announcement there are six new policy CSP in Intune to assist the hybrid cloud printing which enable the client device to know where the IIS service endpoints are and which Azure tenant information to authorize against.

It’s important to recognise that this remains a hybrid cloud solution as it still requires on-premise servers running Discovery Service and Windows Print Service via IIS endpoints. Here is a possible deployment:

cloud print 2.jpg

The diagram shows:

  • Hybrid Cloud Print using Azure Active Directory as the user identity provider.
  • Windows Print service and Discovery service endpoints are registered with Azure Active Directory to enable the client device to retrieve the required user authentication token to use against these services.
  • An MDM service, such as Microsoft Intune, provisions the client device with policies needed to connect Azure Active Directory to Windows Print service and Discovery service.

The school’s AzureAD subscription needs to be Premium (P1 or P2) (in New Zealand, this is included in the National Schools Agreement between Microsoft and the Ministry of Education) and provides a further compelling reason for organisations to base their identity on Azure AD.


  1. Dan Robinson May 22, 2019
    • Sam McNeill May 22, 2019

I am always keen to discuss what I've written and hear your ideas so leave a reply here...

%d bloggers like this: