If you use on-prem Active Directory (AD) features and would also like to use Azure AD features like conditional access, single sign-on (SSO) and more, this article is for you. In this article, you're going to learn how to set up a mode Microsoft calls Hybrid Azure AD Join.
What is Hybrid Azure AD Joined?
In a nutshell, Hybrid Azure AD Join is a mode that allows you to manage devices both via traditional on-premises AD tools but also register it with Azure AD. For more information, check out the Hybrid Azure AD Joined devices Microsoft doc.
There are many requirements and prerequisites you must meet before you can begin to configure hybrid Azure AD joined devices. Before you begin with the steps outlined in this article, be sure you meet or have the the following:
- Devices must be a supported current Windows device (Windows 10 1809 or higher or Windows Server 2016 and higher)
- An on-prem AD joined Windows 10 device
- Internet connectivity on the Windows device (enterpriseregistration.windows.net:443, login.microsoftonline.com:443 and device.login.microsoftonline.com:443)
- On-prem AD must be syncing to Azure AD to only one Azure AD tenant. Both domains for all examples in this article are called adamtheautomator.com. If you want to sync multiple Azure AD tenants as long as you use GPO instead of SCP.
- You must know your global administrator account for Azure AD. The example in this article will use the account name of adam.
- You must know an enterprise administrator account for on-prem AD. The example in this article will use the account name of [email protected].
- You have Azure AD Connect 1.1.819.0 installed on member server and synced with Azure AD
All examples in this article will be using an on-prem AD domain called adamtheautomator.com with a synced Azure AD of the same name.
For a full list of prerequisites, refer to the Plan hybrid Azure Active Directory join implementation Microsoft doc.
Configuring Azure AD Connect
The first step to setting up hybrid Azure AD joined devices is to configure Azure AD Connect. Here you will set up the Azure AD sync process to be aware of the hybrid mode you intend.
To set things up, first open up Azure AD connect and click on Configure.
On the next screen, click on Configure device options and click on Next.
Provide your Azure AD tenant's global administrator credentials and click Next.
Click on Configure Hybrid Azure AD join and Next.
On the Device Operating systems page is where you will select what types of devices you intend to onboard. For this article, we're only going to be onboarding current devices (Windows 10). Choose Windows 10 or later domain-joined devices and click Next.
For information on how to configure Windows down level devices (Windows 8.1+ and Windows Server 2008 R2+), refer to the Configure hybrid Azure Active Directory join for managed domains Microsoft doc.
You'll now create the service connection point (SCP) in Azure to allow your devices to to read Azure AD tenant information. Check your forest name under Forest, choose Azure Active Directory as the Authentication Service and then click Add to provide credentials for your on-prem enterprise admin account. When complete, click Next.
On the next screen, click on Configure to start the process. Everything should only take a few seconds.
When complete, you will be told to configure some additional steps. Click Exit when complete.
Confirming Azure AD Join Status
Once you've configured Azure AD Connect, you should now check to ensure the fruits of your labor actually paid off! Luckily, all Windows 10 devices should be hybrid AD-joined automatically eventually but for the first device, you should confirm this.
To confirm Windows 10 device registration, reboot one of them. After it comes back up, connect to it either remotely or on the console and get to a command prompt. In the command prompt, type
dsregcmd /status. If you see AzureADJoined: YES under Device State, you're in good shape.
If the device doesn't show as Azure AD-joined yet might be because the computer object hasn't been synced to Azure AD yet. You can try to force a registration by running
dsregcmd /join and looking at the status again.
If you still don't see the device has been Azure AD-joined, you may want to check out this troubleshooting guide. You may also download this PowerShell script to run on the device to perform many common tests.
Once you've confirmed the Windows 10 client says its joined, be sure to check on the Azure side too. To do that, navigate to the the Devices blade in your Azure AD tenant. Here you should see the JOIN TYPE is Hybrid Azure AD Joined and REGISTERED has a recent timestamp for the Windows 10 device.
If you see devices show up as 'Registered' and 'Hybrid Azure AD joined', you may find that AAD Conditional Access (CA) rules will not function correctly with the 'Registered' entries. To fix this, upgrade all devices to Windows 10 1903. You might also have to remove all 'Registered' entries with a script.
Once you confirm your test Windows 10 machine has been registered and joined as hybrid Azure AD joined, all other current devices in AD should begin registering as well automatically.
If a user is logged onto the joined client, they will have to log off and on to get a primary refresh token.
Once configured, devices joined in a hybrid Azure AD join model will automatically register themselves. After you perform all of the needed steps in this article, most of the hard work is done for you. At this point, you can begin using the various services Azure AD has to offer to manage all of your domain-joined devices.
Subscribe to Adam the Automator
Get the latest posts delivered right to your inbox