Setup Hybrid Azure AD Join – Part 2

Welcome back to the second and last post to setup hybrid Azure ad join. Hopefully all went well with configuring Pass-Through Authentication. Below you will find a link back to part 1.

1. Configure Pass-Through Authentication
2. Setup Hybrid Azure AD Join

Setup Hybrid Azure AD Join

Consider the following prerequisites before moving forward.

Prerequisites

• Domain controller should be Windows Server 2008 R2 for Windows 10 devices.
• A single forest should sync identies to one Azure tenant
• FIPS compliant TMP 2.0 is supported.
• A domain controller cannot be hybrid joined
• Windows current and downlevel devices are supported
• Builting computers from an image that is already Azure joined is not supported
• Device need access to the following URLs
  • https://enterpriseregistration.windows.net
  • https://login.microsoftonline.com
  • https://device.login.microsoftonline.com
  • https://autologon.microsoftazuread-sso.com

Steps to configue hybrid Azure AD join

Because we ran AD Connect in part 1 to connect active directory to Azure AD, the initial options at first run will not be available. When AD Connect opens, click on Customize

Select “Configure device options” – This option is used to configure device registration for Hybrid Azure AD Join.

On the overview page, click Next

Connect to Azure AD by using a user with global administrator rights.

On the device options page, select “Configure Hybrid Azure AD join” then Next

Supported devices

• Windows 10
• Windows Server 2016
• Windows Server 2019

Downlevel devices

• Windows 8.1
• Windows 7
• Windows Server 2012
• Windows Server 2012 R2
• Windows Server 2008 R2

Select the appropriate option on the device operating system page based on the devices that you have in your organization

On the SCP configuration page, do the following

• First check the box under Forest
• Under Authentication Service – click on the drop down and select Azure Active Directory. If a federation service have been configured, select that option.
• Click ADD to supply the enterprise admin account for the on-premises forest.

On the ready to configure page, click Configure

Confirm device registration.

Use the Get-MsolDevice cmdlet in the Msonline module to verify the device registration state in your Azure tenant. Before you begin you will need the deviceId of a computer that should be registered in Azure AD. Find the computer in your on-premise Active Directory, right click on the computer > properties > Attribute Editor > scroll down to objectGUID and use that number as the deviceId. OPen PowerShell ISE and the run the code below.

Install-module MSonline -force
import-module msonline
$msolcred = Get-credential
Connect-MsolService -Credential $Msolcred -AzureEnvironment AzureCloud
Get-msoldevice -deviceId 7q52824c-30k1-8d1c-a947-ab34643ffddc

From the results above confirm the following.

• An object with the device id that matches the ObjectGUID on the on-premise computer must exist.
• The value for DeviceTrustType must be Domain Joined. This is equivalent to the Hybrid Azure AD joined state on the Devices page in the Azure AD portal.
• The value for Enabled must be True and DeviceTrustLevel must be Managed for devices that are used in conditional access.

Troubleshoot Hybrid Azure AD join:
If you are experiencing issues with completing hybrid Azure AD join for domain joined Windows devices, see:

• Troubleshooting Hybrid Azure AD join for Windows current devices
• Troubleshooting Hybrid Azure AD join for Windows down-level devices