Hybrid Azure AD join – Part one: What is it and how to set it up
To this day a hybrid environment (connecting your on-premises AD with Azure AD) is considered the gold standard by many and is widely used by a lot companies and organizations.
There’s a reason for it. You’re getting the best of both worlds: high scalability and flexibility without making your security suffer, great device management both on-prem and in the cloud, Line of Business application support, and more…
If you’re one of the people who has wisely chosen to use this infrastructure model, then you will definitely benifit from something called Hybrid Azure AD Join.
Now… I know, the word is quite a mouthful, but once you get to know this useful tool you will see how much it can help with managing devices in a hybrid environment.
What is Hybrid Azure AD join
When you ‘Hybrid join’ a device, it means that it is visible in both your on-premises AD and in Azure AD. Now you can manage them in both as well. This way, you are able to use tools such as Single Sign-On and Conditional Access while still being able to apply GPO’s and other on-prem utilities.
Furthermore, by enrolling them in Intune, you will be able to manage the devices even more and give them some extra cloud capabilities.
Setting up Hybrid Azure AD join
Let’s start looking into how we will set up Hybrid Azure AD join. First we’ll look into the requirements for this particular demo and then we’ll look at how to get it to work. In Part two we will cover how to automatically enroll devices in Intune and how to then test them.
Our test-environment will consist of:
- A Windows Server 2016
- Set up as a Domain Controller
- Synced with an Azure AD (with AD Connect)
- Have proper UPN suffix defined with a matching custom domain in Azure
- A Windows 10 device
- Domain joined (NOT to Azure AD, only to on-prem)
You also want to make sure you have access to both an on-prem Administrator and an Azure AD Global Administrator.
If you want to further test your Hybrid Azure AD joined device of its capabilities after setup, an Intune license is needed.
Configure Azure AD Connect
First step is to open up your Azure AD Connect:
After that you will see a whole list of options you can configure, the one we’re looking for is: Configure device options.
After that, click Next on the Overview page.
You will now be prompted to enter your Azure AD Global Administrator credentials, fill those in.
Now, you guessed it, select Configure Hybrid Azure AD join.
After that, select the forests you want to configure in the SCP configuration screen:
Choose Azure Active Directory as Authentication Service. Click Add to add your on-prem administrator (you will be prompted to log in as an Enterprise Admin).
After that, you will be able to choose which Windows versions you want to configure. You can chose one of them, or both (in this case we will look into only W10 devices, go to this link to see how to handle downlevel devices).
Finally click Configure and, after a little wait, you’ll be greeted with this beautiful sight:
Checking our configuration
Now we have to make sure that our configuration of Hybrid Azure AD join was succesful. Since Windows 10 devices are hybrid joined automatically, the most valuable tool we have is our patience. Speaking from experience, this could take quite some time (at least 5 minutes or more). Reboot your device and go ahead and get yourself a nice cup of coffee, you earned it!
Seriously though, there are multiple ways we can check if our device is hybrid joined.
First up: cmd.
Open the command prompt and enter: dsregcmd /status
If it says AzureAdJoined : YES, then you’re halfway there! If it still says NO after rebooting and waiting 10 more minutes, try following this troubleshooting guide.
Key here is to check Event Viewer logs for errors and figure out what went wrong (Hybrid Join logs are located under Applications and Services Log > Microsoft > Windows > User Device Registration).
For example, error 0x801c03f2 means that the devices you are trying to Hybrid Join aren’t in scope of your AD Sync. So go ahead and change the Domain/OU filtering in Azure AD connect and include them.
Now to check in the Azure AD device list.
Go to your Synced Azure AD and click Devices. There you should be able to see your device as Hybrid Azure AD joined BUT they have to be registered as well! If they aren’t registered, you will still have to wait a few minutes longer.
Try rebooting and log in/out a few times to give this process a little push.
Once the device is registered, you’re done! You can now manage your device in both your on-prem AD and your Azure AD.
If you want to know how to auto-enroll devices through a GPO and then manage them in Intune, be sure to check out Part two.
I joined Orbid after finishing my bachelors degree of New Media and Communication Technology at Howest Kortrijk. As a System Engineer I focus on Microsoft 365 technologies (Azure AD, EMS, Intune, AIP, MCAS…), this way I am able to fully develop my skills and interests in Cloud & Security.
Hi, we have an local AD and Azure AD. Both AD’s are synced with Azure AD connect tool. Now I want to implement Hybrid join but I’m wondering if I need to join new devices to the local AD or Azure AD?
You should first join all your devices to your local AD. Then once you have implemented Hybrid join, your devices will automatically join Azure AD and will be labelled as ‘Hybrid joined’ devices.
After Hybrid join is active and implemented, you just do the same thing by adding new devices to the local AD. They will then automatically become Hybrid joined devices.
What might be wrong if devices won’t join Azure AD if you don’t rejoin to local AD?
You can either ONLY Azure AD join your device, or you can Hybrid join them. If your device is currently Azure AD joined, you can’t convert it to Hybrid joined (not in any way that I have found). You will have to un-join it from Azure AD, join it only to your local AD and then it will automatically become Hybrid joined.
There is also “device write back” but it’s useless for most purposes because puts the Device ID instead of the hostname in the local AD and the object type is “msDS-Device” rather than “computer”.
This means the “device write back” object can’t be used for RADIUS wifi authentication with NDES. You still have to go through the trouble of manually creating the computer object and linking the NDES cert to it.
first thank you for your guide.
Now a have a complicate question.
If i activate the hyprid join over AAD Connect, the user must after their devices are full hybrid login with local domain credential (without the domain suffix (@*.com)(will they work?) or the only way is to login with the full login with domain (username@*.com)
You can either log in with the User Principal Name (email@example.com) or with the SAM account name.
Hi sam, what if the domain in AD and AAD is different? which one would I sign in Windows 10 with？
after the hybrid join, I want the user logon process authentice against Azure AD like a Azure joined PC (without hybrid). Unfortunately, during the user logon the pc only tries to reach the On Premise AD . If it cannot, the entire user logon fails. Do you know how to configure that? All users + passwords are already synchronized with Azure.
Thanks for help.
Sounds to me like you have implemented Pass-through Authentication. With PTA, all authentications happen directly against the on-premises Active Directory.
If you want authentication to happen against Azure AD as well, you need to have Password Hash Synchronization set up with AD Connect.
Check out these links:
Hope this helps!
Thanks for your answer but Password Hash Synchronization is already activated. Do you have any other ideas?
I would first make sure the Azure AD Connect is up to date, and then do some troubleshooting with the connector and password sync:
If none of this helps, then maybe try contacting Microsoft Support.
i have the same problem, have you been able to solve it?
I noticed that your SCP screenshot shows a .local domain, while the Microsoft docs say non-routable domains are not supported. Have you experienced any issues related to the non-routable extension?
In this test-environment I did use a non-routable domain, but I have not experienced any issues during the sync. What happened was that all synced accounts were given a ‘onmicrosoft’ account instead.
This is what I found in MS Docs:
‘When you synchronize your on-premises directory with Office 365 you have to have a verified domain in Azure Active Directory. Only the User Principal Names (UPN) that are associated with the on-premises domain are synchronized. However, any UPN that contains an non-routable domain, for example .local (like firstname.lastname@example.org), will be synchronized to an .onmicrosoft.com domain (like email@example.com).’
I am trying to understand a couple things here. Let’s say I set up the Hybrid AAD Join and select and only select Windows 10 or later devices on the Windows Version selection. What happens to the servers/workstations that are not part of that? Do they just not become Azure AD Joined? And if so, does this create any kind of issue with the trust or communication?
Only selecting W10 devices will indeed cause the other devices to stay purely in your on-prem environment. They will not be joined in Azure AD so no management will be possible from the online portals. I have not experienced any issues with those other devices, since Hybrid AD devices are also still on-prem AD devices they don’t have any issues communicating with each other and with the on-premises environment. What I have not tested, but might see as an issue… is when Azure AD created users will try to log on to these devices (since these users are cloud only). Apart from that I don’t know of any other issues (correct me if I’m mistaken).
Need some clarity on hybrid.
Would this allow laptops that are domain joined via on premises to be used away from the network. As in the employee’s home.
As of Covid19 taking affect on how we all work I need to get this implemented quick.
This would allow your domain joined devices to be managed in Azure AD. Without Intune or other Microsoft cloud features, there’s not a lot of management that you can do on these devices. Hybrid join is not a replacement for a VPN to your on-premises environment ofcourse, it just syncs your domain joined devices to the cloud… just as Azure AD Connect syncs your users. Though it is required if you want to properly manage your domain joined devices in Azure AD (and the other Microsoft cloud platforms).
Would it make sense to roll out Hybrid Azure AD to AD devices just for conditional access? We currently don’t use Intune for managing our Windows 10 devices as we use other tools for this (however we do use Office 365 MDM for mobile devices).
I’m assuming that not having an Intune license won’t affect the initial sync to Azure AD, only the device enrollment?
Yes that could make sense as you can use ‘Hybrid joined device’ as a condition in Conditional Access, so it can be useful. Just make sure you have the correct license to use Conditional Access (Azure AD Premium P1).
Hi. So in Term of licenses all I Need is AAD P1 to use this in CA policies?
Intune or EMS E3 not required?
Yes, the only license you need is AAD P1 for every user who you want to include in your conditional access policies.
Intune or EMS E3 is only required when you want to manage and secure your devices via MS365
Does running the hybrid AD setup allow all devices in your on-prem domain to register with AAD or just the ones the OU that is currently sync’d with AAD connect?
for example currently my “company.local > company” OU is currently sync’d for office 365 stuff and my servers live in “company.local > servers”
will the servers attempt to register with azure regardless of where the in the on-prem domain they reside?
This depends on how your ADSync is set up. If you have set up OU filtering, then only objects (users, devices or servers) that are located in the selected OU will be synced with Azure AD. So if in your case only the ‘company’ OU is selected by your Azure AD connect to be synced, then computers or servers located anywhere else will not be hybrid joined. More info here.
i have my on-premises domain is insta.local and my azure ad is verified domain insta.com…..how to deploy azure hybrid ad join?
In your document there is no options for enabling Password through authentication or password sync authentication and adding UPN suffixes??
I have to perform these steps individually or the hybrid ad join is enough for the above steps for my custom domain?
If you have added the insta.com to your local domain as a suffix, and this is set up as the UPN of the end users, then it should not be a problem to add and connect these in the setup of Hybrid Azure AD Join.
More info here:
I have implemented a hybrid setup as described above.
I have a new machine that I would eventually like to add to both local and azure ad but has no access to on site at the moment.
If I add to azure, will it sync back to local AD or is it only one way?
Hybrid Join always works one way. First add it to the local AD and then automatically it will join Azure AD. If you first join it to Azure AD, you won’t be able to convert it to a Hybrid device without unjoining it first and adding it to your local AD. Or I have at least not found any way to do this anywhere.
Have you seen anything on removing a workstation from the on-prem domain and leaving the workstation AzureAD joined without recreating the local profile? Everything I have seen requires un-joining from AD and joining to AzureAD but that requires recreating the local profile.
Sadly there’s no easy way to do this. The local AD profile has a different SID, you are forced to make a new one. There are some tools that can do this, but they are either not that great or paid services (Profile Wiz, PCMover…). But in almost all cases I go through the new profile setup and manual migration with the user.
A quick question please,
Do the existing domain joined computers
Need to be in the office/vpn when I enable
Hybrid AD join?
We’re trying to use conditional access based on device being domain joined but most users are alreay out of office because of th situation and many of them have VPN…
I am actually not sure, I would think that if the devices are already AD registered in Azure AD, that they would not need connection with the local AD. But I have no experience with this so I do not know.
In case you find out, would you mind sharing the result? 🙂
I saw an earlier question regarding Azure AD Hybrid joined laptops, but I didn’t see where authentication was addressed.
If I have a Windows 10 computer joined to Hybrid Azure AD and a particular student has never signed into this particular laptop; if that laptop is shipped to their home, would they be able to login to the device since cached credentials don’t exist on that device? I’d assume that it would try to authenticate against Azure AD since it can’t see the local domain controller, but I just want to be sure.
Great question Jermaine-
Hi Sam, likewise, I have crews working in the field who share a laptop. New crew members frequently come on board and might have never logged into the computer they are trying to access. If I have an AAD hybrid configuration can new crew members login to the field computer if they’ve never logged in previously?
This would all depend on how your AD Connect is set up, and which kind of authentication you are using. If you have set up Password hash and SSO, then only internet connection is required and users can log in with their Azure AD account to access their device. Other scenarios and more info can be found here:
Very good article. I have configured Hybrid AD Join for my on premise devices and that working fine. However, we have a number of domain joined devices that are now working remotely, we have no plans to return to the office. The users are connecting to the LAN via OpenVPN. Would you expect the procedure to work for a domain joined device connecting to the LAN via VPN? I know “I assume that line of site with the DC” might be reuired?
This would all depend on how your AD Connect is set up, and which kind of authentication you are using. If you have set up Password hash and SSO, then only internet connection is required and users can log in with their Azure AD account to access their device. Line of sight with the local domain is only required then for the receiving of GPO’s etc.
More info on authentication here:
Hi Sam, above you mention that Windows 10 devices are Hybrid Azure AD joined Automatically (after Ad Connect has been configured).
My understanding was that I needed to create additional GPOs and link them to the relevant OU(s) before the devices will attempt a Hybrid Azure AD Join? Is this no longer the case?
I’m reluctant to switch this on until I can clarify this.
If you purely want to just Hybrid join your devices and have them join both the local AD and the Azure AD, then all you need to do is switch this on and make sure your devices are not excluded in the sync of your AD Connect. No GPO’s are required unless you want to start enrolling them in Intune (see part 2).
How long does it take for new hybrid joined devices to show up als ‘hybrid joined’ in Azure AD? Some of my devices in the OU is selected are visible as hybrid joined but are still pending.
And do you know how long it takes to resync from Azure AD to Intune?
My goal is to have all my Hybrid joined devices in Intune so I can manage the devices remotely.
They might take a while yeah, there’s been many times where my devices wouldn’t show up as Hybrid joined and that I spent a lot of time looking up what could be wrong, just for the device to just Hybrid join by itself after a while.
But if some devices are not joining at all compared to others, I would check the logs and research some of the error codes.
Also Microsoft’s troubleshooting guide might help a bit: https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current
We followed the steps above, but our device still states as
Our goal is to have our device Hybrid Azure AD Joined so we could configure the conditional access for our managed and unmanaged devices.
Try the Microsoft troubleshooting guide that I mentioned in the article, make sure the devices are also included in the sync from your AD Connect.
What append with my Hybrid Azure AD joined computer in Intune if I need to reinstall it with the same computername? I noticed that the computer is still alive in Intune after removing it from my AD and an AD Connect sync.
It is better then to do a reset in the Intune portal instead of a reinstall on the device itself. You can do a remote wipe and keep the device enrolled for example. See here for more info:
Can we replicate the group policy settings of on premises AD to Azure AD.
Do we have to have a seperate group policy settings for Azure AD and On premises AD
When you Hybrid join a device, you don’t need to replicate your GPO’s because they will still apply even though your device is now also in Azure AD and not only local AD. That’s the best part of Hybrid join, you keep all your existing setting from local AD, but you can now also start applying policies/settings in Azure AD together with your GPO’s etc.
If you want to replace your current GPO’s with something in Azure AD, you will have to look into Microsoft Intune, see part 2 of my blog and check out what Microsoft Intune has to offer:
(also with MMAT you can scan your current group policies and see if they can be migrated to Intune)
Thanks for the excellent write-up.
I have created a Hybrid Join Autopilot profile, install the Intune Connector, create the Autopilot OU in AD, and delegated the permissions.
When I run the autopilot profile, the device gets created in the OU with no problems, but in Azure AD it shows up as Azure AD Joined, and not Hybrid Joined.
Do I still need to enable Hybrid join via Azure AD Connect if I’m doing Hybrid join through Autopilot?
Yes, if I remember correctly you first have to fully set up Hybrid Azure AD join before you can start using Autopilot Hybrid.
I think it says it under prerequisites here:
‘Successfully configure your hybrid Azure AD-joined devices.’
I am planning to run the hybrid Azure Wizard to manage my domain devices with intune. Afte I run the Wizard and the devices are with status “Hybrid Azure AD joined” do I need to register the device manually to connect it to MDM or are there automatically in MDM after they are “Hybrid Azure AD Joined” ?
Check out my second blog about how to automatically add Hybrid Azure AD joined devices to Intune:
Great information. Thanks so much.
Great article. thanks for this. I’ve one query that I think you may be able to help. All my user laptops (domain joined) are outside of the corporate network now (WFH) due to COVID. The plan was to enable Hybrid AD Join, make users enrol to Intune so they can get few apps on to their laptop. My question is, for hybrid AD join to work, do the laptops need to be on corporate network? Or just by syncing their OU in AAD Connect do they become hybrid AD joined automatically? All the laptops in scope are already domain joined. Can you please help?
I’m not 100% sure, but I think that if your only goal is to Hybrid join them… then your devices don’t need connection with the local AD.
Since the only task that needs to happen is for the devices to be joined to Azure AD as well, there should not be an issue (but don’t quote me on this, this is just my speculation).
If not, you will have to look into setting up a VPN connection to connect your devices with the local network.
I’ve just configured my infrastructure activating the aadconnect and the rest for enabling hybrid join.
I’m looking that also some servers with terminal server service installed (for are hybrid joined now, even if they are not synced by aad connect.
My doubt:could it be possible that an already “registered” device in aad is enough and can switch to hybrid join without sync it through aad connect?
What’s your idea on it?
Lets say i had configured the Hybrid Azure Ad joined in AAD connect will it start coverting all the machine automatically to Hybrid join, if i want to do for only one machine how to achive that.
First, I can’t speak English well, so grammar may be wrong, so please understand it.
I’m curious. how to hybrid join a device originally joined to AD
Thanks for this article. I have hybrid Azure AD setup with ADFS (no password hash) for W10 devices. My question is around maintaining that hybrid Azure AD status. Once the W10 device is hybrid Azure AD joined, can it lose that status? If ADFS were to go offline for a period, could it lose that hybrid status?
What will happen to all the Hybrid joined devices when you deinstall AD Connect? I wan’t to fase out the DC on premise.
Hi Sam, Great article. I was wondering what I should expect the end users will experience once I turn on Hybrid Azure AD join. I am working on configuring the environment for Autopilot and Hybrid join for new users, but before that I must understand how it will affect the existing AD joined users. Any help in understanding that would be appreciated.
I have devices that are showing as Hybrid AD joined. The MDM column shows Intune and the compliant column has a green checkmark. But, the registered column shows pending. I’m sure it is because these devices were at one point AD registered. Is there any harm in leaving them “pending”. What do I gain by fixing this since it appears that everything is working?
Hi Sam, hi everyone,
in Microsoft Docs they say:
‘Hybrid Azure AD join is not supported for Windows Server running the Domain Controller (DC) role’ (https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan).
What does this mean (if this article is still valid)?
We only have DC including local AD service.
Will we need to split these services up (one server for DC and one for AD)?
And (just to clarify my understanding):
– Login for users will always be possible with local AD credentials?
– All GPOs will remain effective and Intune policies will be added on top of local GPOs?
Thank you very much.
Stay safe and healthy!
Good info about Hybrid Join,
Its relevant I think for me as we have Intune (MDM) on our tenant. Plus we have SCCM on-prem for WIn 10 devices.
My question is can we use Hybrid AD Azure join to get a pilot of Win 10 devices in Azure (we have users and phones up their already)in MDM. We want to join SCCM to Intune to get modern features available to test from intune?
Many Thanks Ian
Good information. I saw a lot of questions around the user authentication on Hybrid AD Joined machines. As I understand, it It must be able to communicate with the domain controller to authenticate the user. This mainly required for activities include user sign-in (validating the user’s credentials) and Group Policy application, but this information is not very clear.
Here are some articles that support this information:
Device is showing in Azure AD > Device as Hybrid Azure AD joined, and registered. However the MDM shows None instead Intune.
Any steps are missing why it is “None” status? Thanks!
I can’t understand what happens if I enable hybrid domain join on AAD just for test.
Do all my Computers will be shown on Azure AD?
What happens if I don’t use Azure features? Can I ignore the computers that then appear on Azure AD?
Then, is it required a specific license, or is it included in the basic Azure AD plan?
I have implemented Hybrid Azure Join. We have an On-premises DC (xxxx.local) and Azure AD with verified domain (xxxx.ca).
All the users & devices in the OU synced with Azure using Password Hash Sync.
What would happen, if our on-premises DC goes belly up?
Will we still be able to use all the devices connected to domain or all the logins fail?
Thank you for the great document. We have done this setup for Windows 2016 standard, but can’t seem to get the same with Windows Server 2016 Essential. Do you know of way to making this working in Windows 2016 Essentials?
After I ran the workplace join script and MDM enrolment, my devices in Azure shows Hybrid Azure AD Joined with registration date. But still MDM & Complaince is NA. We are planning to implement Hybrid Domain to have a co-managed environment by SCCM. Dont know what steps we are missing here. Is that mandatory to have connect to VPN first before login to domain credentials?
Join Type : Hybrid Azure AD Joined
Owner : N/A
MDM : None
Complaint : N/A
Registered : xx/xx/xxxx, xx:xx:xx XX
Activity : xx/xx/xxxx, xx:xx:xx XX
Please assist me with below queries.
I have full Hybrid set-up. We are using Azure
Intune services to manage device policies.
Now If I want to full out a report where users whose device is not enrolled in Intune policy but still there are able to access outlook application.
Is there any script available to achieve this.
Thank you in advance.
Great content! I’ll use it to implement on my environment, i hope to have no issues.
Thanks for taking time to create this post!
I hope someone can help me out.
We have onboarded different countries (On-Prem AD) to M365 via AAD Connect.
Azure Hybrid AD Join is enabled on AAD Connect and SSO is enabled, too.
MDM GPO has been put in place on all countries AD and linked to WIN-10 workstations.
Now, we do see the situation, that a lot of devices are only “Azure AD registered” and NOT “Hybrid Azure AD joined”. No duplicate entries for each device, meaning, no device is listed twice: “Azure AD registered” & “Hybrid Azure AD joined”.
As we want to test CA (Conditional Access) policies to allow “only” “Hybrid Azure AD joined” devices access to Cloud Apps, we want to make sure that all WIN-10 devices are synced as “Hybrid Azure AD joined”.
To avoid any issue, we don’t know how to proceed now.
Can we continue in removing “Azure AD registered” devices from AAD and ask to reboot device to have GPO actioned (even I’m wondering why GPO did not take effect before?!)?
Or do we have to ask countries to check specific WIN-10 clients to run: dsregcmd /debug /join to get a switch from “Azure AD registered” to “Hybrid Azure AD joined” join type in AAD?
Not sure what is the best effective way and I’m looking forward to get support from you all.
What is the differece between “Hybrid Azure AD join – Part one” and “Hybrid Azure AD join – Part two: automatic enrollment in Intune” ?
Wondering if you know of a way to make an Azure AD (only) tenant allow an On-Premise AD DC join and sync?
We have used an AAD tenant for cloud only AD for a while (completely remote, no offices).
But one of our critical applications needs an On-Premise AD DC to run some syncs.
Everything I’ve read states that it cannot be done once the AAD is established.
The Microsoft website says, “Hybrid Azure AD join isn’t supported for Windows Server running the Domain Controller (DC) role.” So if I try to run AD connected on the domain controller, it will not work? Should I use a different server?