Setting up Azure Hybrid Domain Join

By March 10, 2020 Azure, Blog, Microsoft
Hybrid Azure AD Join Overview page

Recently Microsoft has taken Azure Hybrid Domain Join out of preview, so it is now a fully supported technology. What is Azure Hybrid Domain Join? Traditionally IT Administrators could either join their devices into their local Active Directory Domain or join them to Azure AD but not both. Each connection type has its own advantages, but they could not be combined. Now you can have both.

Azure AD Hybrid allows Active Directory Domain Joined devices to also join your Azure AD tenant. This allows you to use Seamless SSO, Intune, Windows Hello, MDM, MFA, and other Azure offerings on your company AD joined devices.

Your devices will need to be running Windows 10 for the best feature set, however Windows 8/8.1 are also supported (referred to as down-level devices)

So let’s get started.

Configuring Azure AD Connect

The first thing you’ll need to do is configure your existing Azure AD connect to enable Azure AD Hybrid.

  1. Start the Azure AD Connect wizard and click Configure

Configure Azure AD Connect Wizard

  1. At the Additional Task page, click Configure Device Options, then click Next.

Configure Device Options

  1. At the Overview page, click Next.

Hybrid Azure AD Join Overview page

  1. At the Connect to Azure AD page, enter your global administrator credentials for your Azure AD Tenant.

Connect to Azure AD with global admin credentials

  1. At the Device Options page, select Configure Hybrid Azure AD join, then click Next.

device options screenshot

  1. On the SCP Configuration page, for each forest where you want Azure AD Connect to configure the SCP, complete the following steps, and then select Next.

Configure SCP for Azure AD Connect Hybrid

Note: If you don’t have enterprise admin rights, you can download the PowerShell script to perform this task.

  1. At the Device Operating Systems page, select the operating systems you are using. Windows 8/8.1 are considered downlevel domain-joined devices.

Operating Systems Selection

  1. At the Ready to Configure page, click Configure.

Ready to Configure Hybrid Domain Join Azure AD

  1. Next, at the Configuration Complete page, select Exit.

Configuration Complete PageNote: If your current AD Sync is not syncing your AD device accounts, you will need to also reconfigure your AD Connect to sync any OU that contains computer accounts. Azure AD Hybrid join uses this information to determine if your devices will be allowed to perform the Azure AD Hybrid join.

Configure for Windows downlevel devices

If some of your domain-joined devices are Windows downlevel devices, you must

  • Configure the local intranet settings for device registration
  • Configure seamless SSO
  • Install Microsoft Workplace Join for Windows downlevel computers

In order to get your downlevel devices to join, you will have to create or modify an existing GPO to add the following URLs to the local intranet zone in Internet Explorer:

  • https://device.login.microsoftonline.com
  • https://autologon.microsoftazuread-sso.com

You also must enable Allow updates to status bar via script in the user’s local intranet zone.

Your GPO should end up looking similar to this:

GPO Configuration ScreenshotConfigure Windows 10 Devices

To get your Windows 10 Devices to Azure AD Hybrid join, you’ll need another GPO setting, which could be combined in the GPO for the downlevel devices. You will need to enable “register domain-joined computers as devices” This setting is in Computer Configuration > Policies > Administrative Templates > Windows Components > Device Registration.

Finally a quick test from the command line will verify if this worked. Type ‘dsregcmd /status’ and the first line should tell you very quickly:

WIndows 10 Confirmation Domain Joined

And that’s it! If you need more detail, Microsoft has excellent documentation on the process to help you along.

Tutorial: Configure Hybrid Azure AD Join for Managed Domains

Tutorial: Configure Joined Devices Manually

Hybrid Azure AD joined devices

Joe Hanning, Sr. Infrastructure Engineer

Leave a Reply