Hybrid Azure AD join – Part one: What is it and how to set it up

To this day a hybrid environment (connecting your on-premises AD with Azure AD) is considered the gold standard by many and is widely used by a lot companies and organizations.

There’s a reason for it. You’re getting the best of both worlds: high scalability and flexibility without making your security suffer, great device management both on-prem and in the cloud, Line of Business application support, and more…

If you’re one of the people who has wisely chosen to use this infrastructure model, then you will definitely benifit from something called Hybrid Azure AD Join.

Now… I know, the word is quite a mouthful, but once you get to know this useful tool you will see how much it can help with managing devices in a hybrid environment.

What is Hybrid Azure AD join

When you ‘Hybrid join’ a device, it means that it is visible in both your on-premises AD and in Azure AD. Now you can Hybrid Azure AD joinmanage them in both as well. This way, you are able to use tools such as Single Sign-On and Conditional Access while still being able to apply GPO’s and other on-prem utilities.

Furthermore, by enrolling them in Intune, you will be able to manage the devices even more and give them some extra cloud capabilities.

Setting up Hybrid Azure AD join

Let’s start looking into how we will set up Hybrid Azure AD join. First we’ll look into the requirements for this particular demo and then we’ll look at how to get it to work. In Part two we will cover how to automatically enroll devices in Intune and how to then test them.

Requirements

Our test-environment will consist of:

  • A Windows Server 2016
    • Set up as a Domain Controller
    • Synced with an Azure AD (with AD Connect)
    • Have proper UPN suffix defined with a matching custom domain in Azure
  • A Windows 10 device
    • Domain joined (NOT to Azure AD, only to on-prem)

You also want to make sure you have access to both an on-prem Administrator and an Azure AD Global Administrator.

If you want to further test your Hybrid Azure AD joined device of its capabilities after setup, an Intune license is needed.

Configure Azure AD Connect

First step is to open up your Azure AD Connect:Hybrid Azure AD join configure

After that you will see a whole list of options you can configure, the one we’re looking for is: Configure device options.

After that, click Next on the Overview page.

You will now be prompted to enter your Azure AD Global Administrator credentials, fill those in.

Now, you guessed it, select Configure Hybrid Azure AD join.

Hybrid Azure AD join device options configure

After that, select the forests you want to configure in the SCP configuration screen:
Choose Azure Active Directory as Authentication Service. Click Add to add your on-prem administrator (you will be prompted to log in as an Enterprise Admin).

Hybrid Azure AD join SCP configAfter that, you will be able to choose which Windows versions you want to configure. You can chose one of them, or both (in this case we will look into only W10 devices, go to this link to see how to handle downlevel devices).

Finally click Configure and, after a little wait, you’ll be greeted with this beautiful sight:

Hybrid Azure AD join config complete

Checking our configuration

Now we have to make sure that our configuration of Hybrid Azure AD join was succesful. Since Windows 10 devices are hybrid joined automatically, the most valuable tool we have is our patience. Speaking from experience, this could take quite some time (at least 5 minutes or more). Reboot your device and go ahead and get yourself a nice cup of coffee, you earned it!

Seriously though, there are multiple ways we can check if our device is hybrid joined.
First up: cmd.

Open the command prompt and enter: dsregcmd /status

AzureAdJoined cmd

If it says AzureAdJoined : YES, then you’re halfway there! If it still says NO after rebooting and waiting 10 more minutes, try following this troubleshooting guide.

Key here is to check Event Viewer logs for errors and figure out what went wrong (Hybrid Join logs are located under Applications and Services Log > Microsoft > Windows > User Device Registration).
For example, error 0x801c03f2 means that the devices you are trying to Hybrid Join aren’t in scope of your AD Sync. So go ahead and change the Domain/OU filtering in Azure AD connect and include them.

Now to check in the Azure AD device list.
Go to your Synced Azure AD and click Devices. There you should be able to see your device as Hybrid Azure AD joined BUT they have to be registered as well! If they aren’t registered, you will still have to wait a few minutes longer.

Try rebooting and log in/out a few times to give this process a little push.

Hybrid Azure AD joined registered

Once the device is registered, you’re done! You can now manage your device in both your on-prem AD and your Azure AD.

If you want to know how to auto-enroll devices through a GPO and then manage them in Intune, be sure to check out Part two.

Print Friendly, PDF & Email

31 comments on “Hybrid Azure AD join – Part one: What is it and how to set it up”

  1. Wilm Thys says:

    Hi, we have an local AD and Azure AD. Both AD’s are synced with Azure AD connect tool. Now I want to implement Hybrid join but I’m wondering if I need to join new devices to the local AD or Azure AD?

    Regards,
    Wilm

    1. Sam Teerlinck says:

      Hey Wilm,

      You should first join all your devices to your local AD. Then once you have implemented Hybrid join, your devices will automatically join Azure AD and will be labelled as ‘Hybrid joined’ devices.

      After Hybrid join is active and implemented, you just do the same thing by adding new devices to the local AD. They will then automatically become Hybrid joined devices.

  2. Markus says:

    Hi Sam,
    first thank you for your guide.

    Now a have a complicate question.
    If i activate the hyprid join over AAD Connect, the user must after their devices are full hybrid login with local domain credential (without the domain suffix (@*.com)(will they work?) or the only way is to login with the full login with domain (username@*.com)

    1. Sam Teerlinck says:

      Hi Markus,

      You can either log in with the User Principal Name (username@domain.com) or with the SAM account name.

      https://www.petenetlive.com/wp-content/uploads/2016/09/001-UPN-and-sAMAccountName.png

  3. Christoph says:

    Hello Sam,
    after the hybrid join, I want the user logon process authentice against Azure AD like a Azure joined PC (without hybrid). Unfortunately, during the user logon the pc only tries to reach the On Premise AD . If it cannot, the entire user logon fails. Do you know how to configure that? All users + passwords are already synchronized with Azure.

    Thanks for help.

    1. Sam Teerlinck says:

      Hi Christoph,

      Sounds to me like you have implemented Pass-through Authentication. With PTA, all authentications happen directly against the on-premises Active Directory.
      If you want authentication to happen against Azure AD as well, you need to have Password Hash Synchronization set up with AD Connect.

      Check out these links:
      https://docs.microsoft.com/en-us/azure/security/fundamentals/choose-ad-authn#cloud-authentication
      https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization#enable-password-hash-synchronization

      Hope this helps!

      1. Christoph says:

        Thanks for your answer but Password Hash Synchronization is already activated. Do you have any other ideas?

        1. Sam Teerlinck says:

          I would first make sure the Azure AD Connect is up to date, and then do some troubleshooting with the connector and password sync:
          https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-objectsync
          https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-password-hash-synchronization

          If none of this helps, then maybe try contacting Microsoft Support.

  4. Jay says:

    I noticed that your SCP screenshot shows a .local domain, while the Microsoft docs say non-routable domains are not supported. Have you experienced any issues related to the non-routable extension?

    Reference: https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan

    1. Sam Teerlinck says:

      Hi Jay,

      In this test-environment I did use a non-routable domain, but I have not experienced any issues during the sync. What happened was that all synced accounts were given a ‘onmicrosoft’ account instead.
      This is what I found in MS Docs:

      ‘When you synchronize your on-premises directory with Office 365 you have to have a verified domain in Azure Active Directory. Only the User Principal Names (UPN) that are associated with the on-premises domain are synchronized. However, any UPN that contains an non-routable domain, for example .local (like billa@contoso.local), will be synchronized to an .onmicrosoft.com domain (like billa@contoso.onmicrosoft.com).’

      https://docs.microsoft.com/en-us/office365/enterprise/prepare-a-non-routable-domain-for-directory-synchronization

  5. Michael Mattox says:

    Hello,

    I am trying to understand a couple things here. Let’s say I set up the Hybrid AAD Join and select and only select Windows 10 or later devices on the Windows Version selection. What happens to the servers/workstations that are not part of that? Do they just not become Azure AD Joined? And if so, does this create any kind of issue with the trust or communication?

    1. Sam Teerlinck says:

      Hey Michael,

      Only selecting W10 devices will indeed cause the other devices to stay purely in your on-prem environment. They will not be joined in Azure AD so no management will be possible from the online portals. I have not experienced any issues with those other devices, since Hybrid AD devices are also still on-prem AD devices they don’t have any issues communicating with each other and with the on-premises environment. What I have not tested, but might see as an issue… is when Azure AD created users will try to log on to these devices (since these users are cloud only). Apart from that I don’t know of any other issues (correct me if I’m mistaken).

  6. Need some clarity on hybrid.

    Would this allow laptops that are domain joined via on premises to be used away from the network. As in the employee’s home.

    As of Covid19 taking affect on how we all work I need to get this implemented quick.

    1. Sam Teerlinck says:

      Hi Joseph,

      This would allow your domain joined devices to be managed in Azure AD. Without Intune or other Microsoft cloud features, there’s not a lot of management that you can do on these devices. Hybrid join is not a replacement for a VPN to your on-premises environment ofcourse, it just syncs your domain joined devices to the cloud… just as Azure AD Connect syncs your users. Though it is required if you want to properly manage your domain joined devices in Azure AD (and the other Microsoft cloud platforms).

  7. Tom Maguire says:

    Hi Sam,

    Would it make sense to roll out Hybrid Azure AD to AD devices just for conditional access? We currently don’t use Intune for managing our Windows 10 devices as we use other tools for this (however we do use Office 365 MDM for mobile devices).

    I’m assuming that not having an Intune license won’t affect the initial sync to Azure AD, only the device enrollment?

    1. Sam Teerlinck says:

      Hi Tom,

      Yes that could make sense as you can use ‘Hybrid joined device’ as a condition in Conditional Access, so it can be useful. Just make sure you have the correct license to use Conditional Access (Azure AD Premium P1).

  8. Dave says:

    Does running the hybrid AD setup allow all devices in your on-prem domain to register with AAD or just the ones the OU that is currently sync’d with AAD connect?

    for example currently my “company.local > company” OU is currently sync’d for office 365 stuff and my servers live in “company.local > servers”

    will the servers attempt to register with azure regardless of where the in the on-prem domain they reside?

    1. Sam Teerlinck says:

      This depends on how your ADSync is set up. If you have set up OU filtering, then only objects (users, devices or servers) that are located in the selected OU will be synced with Azure AD. So if in your case only the ‘company’ OU is selected by your Azure AD connect to be synced, then computers or servers located anywhere else will not be hybrid joined. More info here.

  9. venkat says:

    Hello Sam,

    i have my on-premises domain is insta.local and my azure ad is verified domain insta.com…..how to deploy azure hybrid ad join?

    In your document there is no options for enabling Password through authentication or password sync authentication and adding UPN suffixes??

    I have to perform these steps individually or the hybrid ad join is enough for the above steps for my custom domain?

  10. Billy says:

    I have implemented a hybrid setup as described above.
    I have a new machine that I would eventually like to add to both local and azure ad but has no access to on site at the moment.
    If I add to azure, will it sync back to local AD or is it only one way?
    Thanks.

  11. Travis says:

    Sam –
    Have you seen anything on removing a workstation from the on-prem domain and leaving the workstation AzureAD joined without recreating the local profile? Everything I have seen requires un-joining from AD and joining to AzureAD but that requires recreating the local profile.
    Thoughts?

  12. Farnaz says:

    Hi Sam

    A quick question please,
    Do the existing domain joined computers
    Need to be in the office/vpn when I enable
    Hybrid AD join?
    We’re trying to use conditional access based on device being domain joined but most users are alreay out of office because of th situation and many of them have VPN…

    Thanks

  13. Jermaine Johnson says:

    Hello Sam,

    I saw an earlier question regarding Azure AD Hybrid joined laptops, but I didn’t see where authentication was addressed.

    If I have a Windows 10 computer joined to Hybrid Azure AD and a particular student has never signed into this particular laptop; if that laptop is shipped to their home, would they be able to login to the device since cached credentials don’t exist on that device? I’d assume that it would try to authenticate against Azure AD since it can’t see the local domain controller, but I just want to be sure.

    1. Tim Casey says:

      Great question Jermaine-

      Hi Sam, likewise, I have crews working in the field who share a laptop. New crew members frequently come on board and might have never logged into the computer they are trying to access. If I have an AAD hybrid configuration can new crew members login to the field computer if they’ve never logged in previously?

  14. Paul Mitchell says:

    Hi Sam,
    Very good article. I have configured Hybrid AD Join for my on premise devices and that working fine. However, we have a number of domain joined devices that are now working remotely, we have no plans to return to the office. The users are connecting to the LAN via OpenVPN. Would you expect the procedure to work for a domain joined device connecting to the LAN via VPN? I know “I assume that line of site with the DC” might be reuired?

  15. Mike Lyon says:

    Hi Sam, above you mention that Windows 10 devices are Hybrid Azure AD joined Automatically (after Ad Connect has been configured).
    My understanding was that I needed to create additional GPOs and link them to the relevant OU(s) before the devices will attempt a Hybrid Azure AD Join? Is this no longer the case?
    I’m reluctant to switch this on until I can clarify this.

  16. Lennaert says:

    Hi Sam,

    How long does it take for new hybrid joined devices to show up als ‘hybrid joined’ in Azure AD? Some of my devices in the OU is selected are visible as hybrid joined but are still pending.

    And do you know how long it takes to resync from Azure AD to Intune?

    My goal is to have all my Hybrid joined devices in Intune so I can manage the devices remotely.

  17. John says:

    Hi SIr,

    We followed the steps above, but our device still states as
    AzureADJoined: No
    EnterpriseJoined: No
    DomainJoined: Yes

    Our goal is to have our device Hybrid Azure AD Joined so we could configure the conditional access for our managed and unmanaged devices.

  18. HI,

    What append with my Hybrid Azure AD joined computer in Intune if I need to reinstall it with the same computername? I noticed that the computer is still alive in Intune after removing it from my AD and an AD Connect sync.

    Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *