Welcome back to the second and last post to setup hybrid Azure ad join. Hopefully all went well with configuring Pass-Through Authentication. Below you will find a link back to part 1.
- Configure Pass-Through Authentication
- Setup Hybrid Azure AD Join
Setup Hybrid Azure AD Join
Consider the following prerequisites before moving forward.
- Domain controller should be Windows Server 2008 R2 for Windows 10 devices.
- A single forest should sync identies to one Azure tenant
- FIPS compliant TMP 2.0 is supported.
- A domain controller cannot be hybrid joined
- Windows current and downlevel devices are supported
- Builting computers from an image that is already Azure joined is not supported
- Device need access to the following URLs
Steps to configue hybrid Azure AD join
Because we ran AD Connect in part 1 to connect active directory to Azure AD, the initial options at first run will not be available. When AD Connect opens, click on Customize
Select “Configure device options” – This option is used to configure device registration for Hybrid Azure AD Join.
On the overview page, click Next
Connect to Azure AD by using a user with global administrator rights.
On the device options page, select “Configure Hybrid Azure AD join” then Next
- Windows 10
- Windows Server 2016
- Windows Server 2019
- Windows 8.1
- Windows 7
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2008 R2
Select the appropriate option on the device operating system page based on the devices that you have in your organization
On the SCP configuration page, do the following
- First check the box under Forest
- Under Authentication Service – click on the drop down and select Azure Active Directory. If a federation service have been configured, select that option.
- Click ADD to supply the enterprise admin account for the on-premises forest.
On the ready to configure page, click Configure
Confirm device registration.
Use the Get-MsolDevice cmdlet in the Msonline module to verify the device registration state in your Azure tenant. Before you begin you will need the deviceId of a computer that should be registered in Azure AD. Find the computer in your on-premise Active Directory, right click on the computer > properties > Attribute Editor > scroll down to objectGUID and use that number as the deviceId. OPen PowerShell ISE and the run the code below.
Install-module MSonline -force import-module msonline $msolcred = Get-credential Connect-MsolService -Credential $Msolcred -AzureEnvironment AzureCloud Get-msoldevice -deviceId 7q52824c-30k1-8d1c-a947-ab34643ffddc
From the results above confirm the following.
- An object with the device id that matches the ObjectGUID on the on-premise computer must exist.
- The value for DeviceTrustType must be Domain Joined. This is equivalent to the Hybrid Azure AD joined state on the Devices page in the Azure AD portal.
- The value for Enabled must be True and DeviceTrustLevel must be Managed for devices that are used in conditional access.
Troubleshoot Hybrid Azure AD join:
If you are experiencing issues with completing hybrid Azure AD join for domain joined Windows devices, see: