For the latest information, see Azure Stack Hub integrated systems connection models on the Microsoft website.
You can deploy Microsoft Azure Stack Hub to an environment that is connected to Azure (the default) or disconnected from Azure, as shown in the following table.
Table 11. Connection options
Connect to Azure
Disconnect from Azure
Download update packages directly into Azure Stack Hub
You can deploy Microsoft Azure Stack Hub either connected to the Internet (and to Azure) or disconnected. To get the most benefit from Microsoft Azure Stack Hub, including hybrid scenarios between Azure Stack Hub and Azure, the best choice is to deploy Azure Stack Hub connected to Azure. This choice defines which options are available for your identity store—AAD or ADFS—and billing model (pay-as-you-use or capacity), as shown in the following figure.
Figure 3. Microsoft Azure Stack Hub identity store and billing options that are based on connection
If you choose the Connect to Azure option, the Microsoft Azure Stack Hub deployment connects to Azure. A connected deployment is the default option. It enables customers to get the most value from Azure Stack Hub, particularly for hybrid scenarios with both Azure and Azure Stack Hub.
With a connected deployment, you can choose between AAD and ADFS for your identity store. A disconnected deployment can only use ADFS.
Your identity store choice has no bearing on tenant VMs, the identity store, and accounts that they use, whether they can join an Active Directory Domain, and so on.
For example, you can deploy IaaS tenant VMs on top of Azure Stack Hub and join them to a corporate Active Directory domain, from which you can use accounts. You are not required to use the AAD identity store for those accounts.
When you use AAD for your identity store, you need two AAD accounts. These accounts can be the same account or different accounts. While using the same account might be simpler and useful if you have a limited number of Azure accounts, your business needs might require two accounts—global and billing:
Choose this option if you want to:
If you choose the Disconnect from Azure option, you can deploy and use Microsoft Azure Stack Hub without a connection to the Internet. Choose this option if you:
Table 12. Options that are based on physical connection
Must be capacity
Enterprise agreements (EA) only
Capacity or consumption
EA or Cloud Solution Provider (CSP)
Must be ADFS
AAD or ADFS
“Bring your own” licensing of syndicated images
Patch and update
Required, requires removable media and a separate connected device
With a disconnected deployment, you are limited to an ADFS identity store and a capacity-based billing model.
A disconnected deployment means that you will not have connectivity to Azure during deployment, or you do not want to use AAD as your identity store. However, you can later connect your Azure Stack Hub instance to Azure for hybrid scenarios for tenant virtual machines (VMs).
If you want to have connectivity to Azure after deployment, regardless of what you want to use as your identity store, choose the Connect to Azure deployment option.
Microsoft Azure Stack Hub is designed to work best when connected to Azure. The following table lists some features and functionality that are either impaired or unavailable in the disconnected mode.
Table 13. Impacted features and functionality
Impact in disconnected mode
VM deployment with DSC extension to configure VM post deployment
Impaired—DSC extension looks to the Internet for the latest WMF.
VM deployment with Docker Extension to run Docker commands
Impaired—Docker checks the Internet for the latest version and this check fails.
Documentation links in the Azure Stack Hub Portal
Unavailable—Links that use an Internet URL, such as Give Feedback, Help, Quickstart, and so on, do not work.
Alert remediation/mitigation that references an online remediation guide
Unavailable—Any alert remediation links that use an Internet URL do not work.
Marketplace syndication – The ability to select and add Gallery packages directly from the Azure Marketplace
Impaired—When you deploy Azure Stack Hub in a disconnected mode (without any Internet connectivity), you cannot download Marketplace items through the Azure Stack Hub Portal. However, use the Marketplace Syndication tool to download the Marketplace items to a computer that has Internet connectivity, and then transfer the items to your Dell EMC Integrated System.
Using Azure Active Directory federation accounts to manage an Azure Stack Hub deployment
Unavailable—Requires connectivity to Azure. ADFS with a local Active Directory instance must be used instead.
Impaired—WebApps might require Internet access for updated content.
Command Line Interface (CLI)
Impaired—The CLI has reduced functionality for authentication and provisioning of Service Principles.
Visual Studio – Cloud discovery
Impaired—Cloud Discovery either discovers different clouds or does not work at all.
Visual Studio – ADFS
Impaired—Only Visual Studio Enterprise supports ADFS.
Unavailable—Telemetry data for Azure Stack Hub and any third-party Gallery packages that depend on telemetry data are not available.
Unavailable—Internet connectivity is required for Certificate Revocation List (CRL) and Online Certificate Status Protocol (OSCP) services in the context of HTTPS.
Impaired—A common scenario for Key Vault is to have an application read secrets at runtime, which requires a service principal in the directory. In AAD, non-administrator users are permitted, by default, to add service principals, but in Active Directory (using ADFS), they are not. This scenario affects the end-to-end experience because users must always go through a directory admin to add an application.
For the latest information, see Azure disconnected deployment planning decisions for Azure Stack Hub integrated systems on the Microsoft website.