If you choose the Disconnect from Azure option, you can deploy and use Microsoft Azure Stack Hub without a connection to the Internet. Choose this option if you:

• Have security or other restrictions that require you to deploy Azure Stack Hub in an environment that is not connected to the Internet.
• Want to block data (including usage data) from being sent to Azure.
• Want to use Azure Stack Hub purely as a private-cloud solution that is deployed to your corporate intranet, and are not interested in hybrid scenarios.

With a disconnected deployment, you are limited to an ADFS identity store and a capacity-based billing model.

A disconnected deployment means that you will not have connectivity to Azure during deployment, or you do not want to use AAD as your identity store. However, you can later connect your Azure Stack Hub instance to Azure for hybrid scenarios for tenant virtual machines (VMs).

If you want to have connectivity to Azure after deployment, regardless of what you want to use as your identity store, choose the Connect to Azure deployment option.

With a connected deployment, you can choose between AAD and ADFS for your identity store. A disconnected deployment can only use ADFS.

Your identity store choice has no bearing on tenant VMs, the identity store, and accounts that they use, whether they can join an Active Directory Domain, and so on.

For example, you can deploy IaaS tenant VMs on top of Azure Stack Hub and join them to a corporate Active Directory domain, from which you can use accounts. You are not required to use the AAD identity store for those accounts.

When you use AAD for your identity store, you need two AAD accounts. These accounts can be the same account or different accounts. While using the same account might be simpler and useful if you have a limited number of Azure accounts, your business needs might require two accounts—global and billing:

• Global admin account (only required for connected deployments)—This Azure account is used to create applications and service principals for Azure Stack Hub infrastructure services in AAD. This account must have directory admin privileges to the directory under which the Azure Stack Hub system is deployed. It becomes the Global Admin for the AAD tenant. It is used:
• To provision and delegate applications and service principals for all Azure Stack Hub services that need to interact with AAD and Graph API.
• As the Service Administrator account, which owns the default provider subscription (which you can later change). You can log in to the Azure Stack Hub admin portal with this account. Use it to create offers and plans, set quotas, and perform other administrative functions in Azure Stack Hub.
• Billing account (required for both connected and disconnected deployments)—This Azure account is used to establish the billing relationship between your Azure Stack Hub system and the Azure commerce back end. This account is billed for Azure Stack Hub fees. It is also used for marketplace syndication and other hybrid scenarios.

Choose this option if you want to:

• Use your own identity store, such as Active Directory, for your Service Administrator accounts.
• Use your corporate Active Directory to manage your Service Administrator accounts.