Hybrid Azure AD join – Part one: What is it and how to set it up

To this day a hybrid environment (connecting your on-premises AD with Azure AD) is considered the gold standard by many and is widely used by a lot companies and organizations.

There’s a reason for it. You’re getting the best of both worlds: high scalability and flexibility without making your security suffer, great device management both on-prem and in the cloud, Line of Business application support, and more…

If you’re one of the people who has wisely chosen to use this infrastructure model, then you will definitely benifit from something called Hybrid Azure AD Join.

Now… I know, the word is quite a mouthful, but once you get to know this useful tool you will see how much it can help with managing devices in a hybrid environment.

What is Hybrid Azure AD join

When you ‘Hybrid join’ a device, it means that it is visible in both your on-premises AD and in Azure AD. Now you can Hybrid Azure AD joinmanage them in both as well. This way, you are able to use tools such as Single Sign-On and Conditional Access while still being able to apply GPO’s and other on-prem utilities.

Furthermore, by enrolling them in Intune, you will be able to manage the devices even more and give them some extra cloud capabilities.

Setting up Hybrid Azure AD join

Let’s start looking into how we will set up Hybrid Azure AD join. First we’ll look into the requirements for this particular demo and then we’ll look at how to get it to work. In Part two we will cover how to automatically enroll devices in Intune and how to then test them.

Requirements

Our test-environment will consist of:

  • A Windows Server 2016
    • Set up as a Domain Controller
    • Synced with an Azure AD (with AD Connect)
    • Have proper UPN suffix defined with a matching custom domain in Azure
  • A Windows 10 device
    • Domain joined (NOT to Azure AD, only to on-prem)

You also want to make sure you have access to both an on-prem Administrator and an Azure AD Global Administrator.

If you want to further test your Hybrid Azure AD joined device of its capabilities after setup, an Intune license is needed.

Configure Azure AD Connect

First step is to open up your Azure AD Connect:Hybrid Azure AD join configure

After that you will see a whole list of options you can configure, the one we’re looking for is: Configure device options.

After that, click Next on the Overview page.

You will now be prompted to enter your Azure AD Global Administrator credentials, fill those in.

Now, you guessed it, select Configure Hybrid Azure AD join.

Hybrid Azure AD join device options configure

After that, select the forests you want to configure in the SCP configuration screen:
Choose Azure Active Directory as Authentication Service. Click Add to add your on-prem administrator (you will be prompted to log in as an Enterprise Admin).

Hybrid Azure AD join SCP configAfter that, you will be able to choose which Windows versions you want to configure. You can chose one of them, or both (in this case we will look into only W10 devices, go to this link to see how to handle downlevel devices).

Finally click Configure and, after a little wait, you’ll be greeted with this beautiful sight:

Hybrid Azure AD join config complete

Checking our configuration

Now we have to make sure that our configuration of Hybrid Azure AD join was succesful. Since Windows 10 devices are hybrid joined automatically, the most valuable tool we have is our patience. Speaking from experience, this could take quite some time (at least 5 minutes or more). Reboot your device and go ahead and get yourself a nice cup of coffee, you earned it!

Seriously though, there are multiple ways we can check if our device is hybrid joined.
First up: cmd.

Open the command prompt and enter: dsregcmd /status

AzureAdJoined cmd

If it says AzureAdJoined : YES, then you’re halfway there! If it still says NO after rebooting and waiting 10 more minutes, try following this troubleshooting guide.

Now to check in the Azure AD device list.
Go to your Synced Azure AD and click Devices. There you should be able to see your device as Hybrid Azure AD joined BUT they have to be registered as well! If they aren’t registered, you will still have to wait a few minutes longer.

Try rebooting and log in/out a few times to give this process a little push.

Hybrid Azure AD joined registered

Once the device is registered, you’re done! You can now manage your device in both your on-prem AD and your Azure AD.

If you want to know how to auto-enroll devices through a GPO and then manage them in Intune, be sure to check out Part two.

Print Friendly, PDF & Email

10 comments on “Hybrid Azure AD join – Part one: What is it and how to set it up”

  1. Wilm Thys says:

    Hi, we have an local AD and Azure AD. Both AD’s are synced with Azure AD connect tool. Now I want to implement Hybrid join but I’m wondering if I need to join new devices to the local AD or Azure AD?

    Regards,
    Wilm

    1. Sam Teerlinck says:

      Hey Wilm,

      You should first join all your devices to your local AD. Then once you have implemented Hybrid join, your devices will automatically join Azure AD and will be labelled as ‘Hybrid joined’ devices.

      After Hybrid join is active and implemented, you just do the same thing by adding new devices to the local AD. They will then automatically become Hybrid joined devices.

  2. Markus says:

    Hi Sam,
    first thank you for your guide.

    Now a have a complicate question.
    If i activate the hyprid join over AAD Connect, the user must after their devices are full hybrid login with local domain credential (without the domain suffix (@*.com)(will they work?) or the only way is to login with the full login with domain (username@*.com)

    1. Sam Teerlinck says:

      Hi Markus,

      You can either log in with the User Principal Name (username@domain.com) or with the SAM account name.

      https://www.petenetlive.com/wp-content/uploads/2016/09/001-UPN-and-sAMAccountName.png

  3. Christoph says:

    Hello Sam,
    after the hybrid join, I want the user logon process authentice against Azure AD like a Azure joined PC (without hybrid). Unfortunately, during the user logon the pc only tries to reach the On Premise AD . If it cannot, the entire user logon fails. Do you know how to configure that? All users + passwords are already synchronized with Azure.

    Thanks for help.

    1. Sam Teerlinck says:

      Hi Christoph,

      Sounds to me like you have implemented Pass-through Authentication. With PTA, all authentications happen directly against the on-premises Active Directory.
      If you want authentication to happen against Azure AD as well, you need to have Password Hash Synchronization set up with AD Connect.

      Check out these links:
      https://docs.microsoft.com/en-us/azure/security/fundamentals/choose-ad-authn#cloud-authentication
      https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization#enable-password-hash-synchronization

      Hope this helps!

      1. Christoph says:

        Thanks for your answer but Password Hash Synchronization is already activated. Do you have any other ideas?

        1. Sam Teerlinck says:

          I would first make sure the Azure AD Connect is up to date, and then do some troubleshooting with the connector and password sync:
          https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-objectsync
          https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-password-hash-synchronization

          If none of this helps, then maybe try contacting Microsoft Support.

Leave a Reply

Your email address will not be published. Required fields are marked *