Configure Hybrid Azure AD Join – Part 2: Configuring a Managed Domain

This is part 2 of a 5 part series on configuring Hybrid Azure AD Join:


In part 2 of this series, we will be discussing the configuration of Hybrid Azure AD Join in a managed domain environment. If you have not looked at part 1 of this series, I highly suggest reviewing Part 1 – Overview before moving forward.

Prerequisites

  • A supported version of the Azure AD Connect Tool (1.1.819.0 or higher)
  • Devices need to have access to the following URLs from inside your network:
    • https://enterpriseregistration.windows.net
    • https://login.microsoftonline.com
    • https://device.login.microsoftonline.com
    • https://autologon.microsoftazuread-sso.com (If you are using or planning to use Seamless SSO)
  • If your organization requires access to the Internet via an outbound proxy, starting with Windows 10 1709, you can configure proxy settings on your computer using a group policy object (GPO). If your computer is running anything older than Windows 10 1709, you must implement Web Proxy Auto-Discovery (WPAD) to enable Windows 10 computers to do device registration with Azure AD.
  • If your organization requires access to the Internet via an authenticated outbound proxy, you must make sure that your Windows 10 computers can successfully authenticate to the outbound proxy using machine context.
  • Policy to Automatically register devices in Azure AD (this is turned on by default in ConfigMgr CB client settings – Cloud Services > Automatically  register new Windows 10 domain joined devices with Azure Active Directory. If you want better control over this policy, set the client setting to No and use a GPO to manage the policy in AD –  Computer Configuration > Policies > Administrative Templates > Windows Components > Device Registration > Register domain joined computers as devices.

Synchronize Computer Objects

The first thing we will need to do is configure the Azure AD Connect Tool to synchronize the computer objects in your organization. This is done the same way you configured user synchronization.

  • From your Azure AD sync server, launch the Azure AD Connect tool as an administrator.
  • On the Welcome to Azure AD Connect page click Configure.
  • On the Additional Tasks page, select Customize synchronization options and click Next.

  • On the Connect to Azure AD page, enter your Azure AD credentials with the appropriate permissions to make the necessary changes.
  • On the Connect your directories page, you should already see your AD directory selected – just click Next.
  • On the Domain and OU filtering page, select the OUs of the computer objects you want to sync to Azure AD and click Next.
  • Just click Next throughout the rest of the Wizard since we won’t be making any other changes and finally click Configure.
  • On the Configuration complete page, click Exit.

Configure the Service Connection Point (SCP)

Before completing this step, it is a good idea to check if a SCP has already been configured in your forest. To easily do this run the following PowerShell commands (make sure to replace the LDAP path with your forest name):

If the SCP has already been configured you will see output like the one shown below:

If you receive the keyword output, you can skip this step as the SCP has already been configured. If not, continue with the steps below.

  • From your Azure AD sync server, launch the Azure AD Connect tool as an administrator.
  • On the Welcome to Azure AD Connect page click Configure.
  • On the Additional Tasks page, select Configure device options and click Next.

  • On the Overview page, click Next.
  • On the Connect to Azure AD page, enter the credentials of a global administrator for your Azure AD tenant.
  • On the Device options page, select Configure Hybrid Azure AD join, and then click Next.

  • On the SCP configuration page, for each forest you want Azure AD Connect to configure the SCP, select the forest, select the authentication service, and click Add. Provide Enterprise Administrator credentials when prompted. When your finished, click Next.
  • On the Device operating systems page, select the operating systems you plan to hybrid join to Azure AD, and then click Next.
  • On the Ready to configure page, click Configure.
  • On the Configuration complete page, click Exit.

Verify the Registration

Once the devices successfully register in Azure AD you will see the following under the Devices node in the Azure Portal:

Please note that existing devices will take a little longer to register and you will have to be patient if they are not showing as hybrid joined right away. New machines should register pretty quickly.

For troubleshooting Windows current devices, see here.

For troubleshooting Windows down level devices, see here.

Close Menu