Hybrid Azure AD join – Part one: What is it and how to set it up
To this day a hybrid environment (connecting your on-premises AD with Azure AD) is considered the gold standard by many and is widely used by a lot companies and organizations.
There’s a reason for it. You’re getting the best of both worlds: high scalability and flexibility without making your security suffer, great device management both on-prem and in the cloud, Line of Business application support, and more…
If you’re one of the people who has wisely chosen to use this infrastructure model, then you will definitely benifit from something called Hybrid Azure AD Join.
Now… I know, the word is quite a mouthful, but once you get to know this useful tool you will see how much it can help with managing devices in a hybrid environment.
What is Hybrid Azure AD join
When you ‘Hybrid join’ a device, it means that it is visible in both your on-premises AD and in Azure AD. Now you can manage them in both as well. This way, you are able to use tools such as Single Sign-On and Conditional Access while still being able to apply GPO’s and other on-prem utilities.
Furthermore, by enrolling them in Intune, you will be able to manage the devices even more and give them some extra cloud capabilities.
Setting up Hybrid Azure AD join
Let’s start looking into how we will set up Hybrid Azure AD join. First we’ll look into the requirements for this particular demo and then we’ll look at how to get it to work. In Part two we will cover how to automatically enroll devices in Intune and how to then test them.
Our test-environment will consist of:
- A Windows Server 2016
- Set up as a Domain Controller
- Synced with an Azure AD (with AD Connect)
- Have proper UPN suffix defined with a matching custom domain in Azure
- A Windows 10 device
- Domain joined (NOT to Azure AD, only to on-prem)
You also want to make sure you have access to both an on-prem Administrator and an Azure AD Global Administrator.
If you want to further test your Hybrid Azure AD joined device of its capabilities after setup, an Intune license is needed.
Configure Azure AD Connect
First step is to open up your Azure AD Connect:
After that you will see a whole list of options you can configure, the one we’re looking for is: Configure device options.
After that, click Next on the Overview page.
You will now be prompted to enter your Azure AD Global Administrator credentials, fill those in.
Now, you guessed it, select Configure Hybrid Azure AD join.
After that, select the forests you want to configure in the SCP configuration screen:
Choose Azure Active Directory as Authentication Service. Click Add to add your on-prem administrator (you will be prompted to log in as an Enterprise Admin).
After that, you will be able to choose which Windows versions you want to configure. You can chose one of them, or both (in this case we will look into only W10 devices, go to this link to see how to handle downlevel devices).
Finally click Configure and, after a little wait, you’ll be greeted with this beautiful sight:
Checking our configuration
Now we have to make sure that our configuration of Hybrid Azure AD join was succesful. Since Windows 10 devices are hybrid joined automatically, the most valuable tool we have is our patience. Speaking from experience, this could take quite some time (at least 5 minutes or more). Reboot your device and go ahead and get yourself a nice cup of coffee, you earned it!
Seriously though, there are multiple ways we can check if our device is hybrid joined.
First up: cmd.
Open the command prompt and enter: dsregcmd /status
If it says AzureAdJoined : YES, then you’re halfway there! If it still says NO after rebooting and waiting 10 more minutes, try following this troubleshooting guide.
Key here is to check Event Viewer logs for errors and figure out what went wrong (Hybrid Join logs are located under Applications and Services Log > Microsoft > Windows > User Device Registration).
For example, error 0x801c03f2 means that the devices you are trying to Hybrid Join aren’t in scope of your AD Sync. So go ahead and change the Domain/OU filtering in Azure AD connect and include them.
Now to check in the Azure AD device list.
Go to your Synced Azure AD and click Devices. There you should be able to see your device as Hybrid Azure AD joined BUT they have to be registered as well! If they aren’t registered, you will still have to wait a few minutes longer.
Try rebooting and log in/out a few times to give this process a little push.
Once the device is registered, you’re done! You can now manage your device in both your on-prem AD and your Azure AD.
If you want to know how to auto-enroll devices through a GPO and then manage them in Intune, be sure to check out Part two.