Understanding Hybrid Azure AD Join for Windows 10 devices

In recent times I have started to become a bit of an “expert, well I will use that word loosely” for Windows 10. Hybrid Azure AD Join is becoming a very popular option for a lot of the clients that I am currently working with and pops up all the time in discussions about “Modern Management” of Windows 10. I have experienced a few highs and lows when implementing Hybrid Azure AD Join and want to share that knowledge I have gain over the past 6 months.

What is Hybrid Azure AD Join?

Hybrid Azure AD Join is where your Windows 10 device is connected to your local Active Directory Domain and synchronized using Azure Active Directory Connect (AADC) to Azure AD.

Why would you do this?

This enables you to manage your Windows 10 devices from Microsoft Intune and leverage the offers from the cloud. Most organizations today have the required Microsoft subscriptions to implement Microsoft Intune but are unaware of how to start their journey.

What do I need for Hybrid Azure AD Join in a Managed Domain?

  • Azure Active Directory Connect version 1.1.819 or greater
  • Devices must be able to connect to the following URLs
    • https://enterpriseregisteration.windows.net
    • https://login.microsoftonline.com
    • https://device.login.microsoftonline.com
    • https://autologon.microsoftazuread-sso.com
  • All Computer Objects from your on-premises Active Directory must be within the sync scope
  • Service Connection point (SCP) is created for device registration (Completed via running AADC)

Implementing Hybrid Join for your organization

We are now going to run through the steps required to gear up your environment for Hybrid Join, first of all we are going to create the SCP using AADC. When you launch AADC you see “Configure device options”, select this option and proceed

Configure device options

In this section you will receive the following Overview of what can be configured and in this case, we are looking at Hybrid Azure AD Join only.

Hybrid Azure AD Join enables devices in your Active Directory forest to register with Azure AD for access management. Computers in your organization will automatically discover Azure AD using a service connection point (SCP) object that is created in your Active Directory Forest.

Device writeback is a prerequisite for enabling on-premises conditional access using AD FS and Windows Hello for Business. Device writeback synchronizes all devices registered in Azure AD back to on-premises. The device are synchronized to a device container that is created in your Active Directory forest.

Important Note

Device writeback requires the Active Directory Schema version to be Windows 2012 R2 (level 69) or higher
Connect to Azure AD
Configure Hybrid Azure AD Join and proceed
Tick “Windows 10 or later domain-joined devices.” It is worth remembering that your Windows 10 devices need to be synchronized and Proceed
Tick your Forest
Select Azure Active Directory
Click Add
Enter your Enterprise Admin Credentials
Proceed
Configure and this completes this task

You can confirm that the SCP has been created by launching ADSI Edit and browse to the location displayed below.

Now we have configured Active Directory we need to create a new GPO that configures the Windows 10 device to AutoEnroll into Azure AD. First of all we need the correct GPO templates installed in your SYSVOL, these templates can be download by the below URL.

https://docs.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy#configure-the-auto-enrollment-for-a-group-of-devices

Once you have installed the required GPOs to your primary domain controller you’ll be able to “Enable automatic MBM enrollment using default Azure AD”

Computer Configuration –> Policies –> Administrative Templates –> Windows Components –> MDM
Enable Policy and select Device Credential, User Credential is a legacy option but its recommended to use Device.

Once this policy enabled and linked to the OU where your computers are located, they will become Hybrid Azure AD Joined.

Gotchas !!!

This Microsoft link is your friend if you encounter any issues with Windows Enrollment Errors
https://docs.microsoft.com/en-us/intune/enrollment/troubleshoot-windows-enrollment-errors

You can also follow the official Microsoft documentation
https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-managed-domains

Regards
The Author – Blogabout.Cloud

Leave a Reply

Your email address will not be published. Required fields are marked *