Hybrid Cloud Print is a relatively new feature that is built on the Windows Print Server role in Windows Server 2016. It enables users to discover and securely print to on-premises printers from their Azure AD joined, and MDM managed devices, and from wherever they have an internet access.
The solution is built on a Windows print service and discovery service endpoints, both of which are running on IIS services supporting the internet Printing protocol and Mopria Alliance industry printer discovery standard, respectively. For the server-side configuration, you will need to :
- install the Print Server Windows Server feature
- Install Hybrid cloud Print through for instance, the PowerShell modules
- Configure IIS endpoints to support SSL
- Install and configure SQLite package
As the name indicates, the solution requires components both on-premises and in the cloud and as such requires hybrid identity for authentication and authorization to print resources. This will require synchronization of credentials between Azure AD and your on-premises AD.
Once the server-side configurations are complete, you can publish the print solution through Application Proxy by going through a standard app proxy configuration for the on-premises print application. You will also need to create and register 2 web apps and a native app to support OAuth 2.0 for authentication and authorization to web endpoints for discovering and printing to published on-premises printers. Here, you will have 2 choices for the pre-authentication method to use with Printer discovery and proxy Web APIs. Pre- authentication, which will require you to configure the App Proxy connectors with permissions in On-premises AD to impersonate users, OR Pass-through authentication. Both preauthentication methods are fully supported for this solution, and I’ve successfully tested out the solution with both methods.
You will also need to configure MDM policies in an MDM service such as Intune wherein you will define the hybrid cloud print settings with the Hybrid cloud print service discovery endpoints and other OAuth resource and token settings to enable the approved user using a Azure AD Joined and MDM managed device to discover published print resources, and get authenticated to and authorized to use the print service. Lastly you will need to configure permissions for a security group of allowed users to the Mopria database file, as well as print server management permissions for users who can publish printers, and grant print service Web API access permissions to relevant service principals.
In summation, the Hybrid Cloud Print solution, while still in its inception, is a great solution for supporting Printing-as-a-service including in Modern desktop scenarios leveraging the modern Identity and access management service with AAD. Admittedly, the workflow for this solution in its current iteration is rather complex, and could be further streamlined to make it truly enterprise-ready. In the next couple of articles, I’ll outline the steps for getting this solution working using the various supported preauthentication methods for the service Web APIs. cheers!
Latest posts by Chiyo Odika (see all)
- Zero Trust and the Azure Firewall service - July 9, 2019
- Making the move to Azure Security Center and Azure Sentinel - July 9, 2019
- Azure Monitor Management solution for RDS, Windows VDI and Citrix - February 28, 2019