Configure Hybrid Azure AD Join using AAD Connect
This post covers the steps to configure Hybrid Azure AD join using Azure Active Directory Connect tool. When you setup hybrid azure AD join, with all the pre-requisites in place, your windows 10 devices will automatically register as devices in your Azure AD tenant.
The work “hybrid” here is a feature which allows you to use both the on-prem and Azure AD environment at the same time. The device will be visible in both your on-premises AD and in Azure AD. For more info on configuring hybrid Azure Active Directory join for managed domains, read this article.
From the Configuration Manager perspective, let’s say you have Windows 10 devices joined to on-premises Active Directory. Before you enable co-management in Configuration Manager, you must first join these devices to Azure Active Directory (Azure AD). This process is called hybrid Azure AD join.
Hybrid Azure AD Join Prerequisites
Before we set up the hybrid domain join, let me list some important prerequisites. For complete info on Hybrid Azure AD join info, read this article.
- Hybrid Azure AD join supports a broad range of Windows devices. For clients you can use Windows 10 and the Server include Windows Server 2016 and Windows Server 2019. The older versions of Windows requires additional or different steps.
- To setup a hybrid Azure AD join using Azure AD Connect, you need the credentials of a global administrator for your Azure AD tenant. The enterprise administrator credentials for each of the forests as well.
- You must enable Hybrid option in Azure AD Connect. Without that the devices can’t find your Azure tenant for a join.
Configure Hybrid Azure AD Join via AAD Connect
Let’s get started with configuring hybrid domain join using Azure Active Directory (AAD) connect tool. First of all launch the Azure AD connect tool. On the Welcome page, click Configure.
On the Tasks page, click Configure Device Options. Click Next.
Click Next on Overview section.
In this step enter the credentials to connect to Azure AD. Click Next.
Under Device options, you see the following options.
- Configure Hybrid Azure AD join
- Configure device writeback
- Disable device writeback
Select Configure Hybrid Azure AD join and click Next.
On the Device Systems page, select the device operating systems used in your active directory environment. So here I will select Windows 10 or later domain-joined devices. Click Next.
The Service Connection Point allows your domain devices to discover the Azure AD tenant info. Hence configuring this step correctly is important. On the SCP configuration page, under Authentication Service select Azure Active Directory. Click Edit button and specify Enterprise admin credentials.
As alternate way to configure SCP is to download the ConfigureSCP.ps1 powershell script. However use this script when you don’t have an enterprise admin creds.
Finally we are ready to configure the hybrid azure ad join. Click Configure.
After few seconds, you should see the Configuration Complete message. The task to configure Hybrid Azure Ad join completed successfully. Click Exit.
Check if Windows 10 Device is Azure AD Joined
In the above step, the Hybrid Azure AD join configuration was successful. Now it’s time to see if your Winodws 10 device is hybrid joined to Azure AD or not.
Using the below command to find out if the device is Azure AD joined or not.
After running the above command, under Device State, check the AzureADJoined. Currently it shows NO.
The best part here is Windows 10 devices are hybrid joined automatically. You have to wait for at least 5-30 minutes or more to see the result.
In my case, it took around 25 minutes to see the results. You may reboot the Windows 10 device if you don’t see any change in the device status.
Run the dsregcmd /status again and now under the device state, the AzureADJoined shows YES.
Login to Azure portal and click Devices. Now notice that your Windows 10 device shows the Join type as Hybrid Azure AD Joined.
Hi Prajwal, is it possible to migrate hybrid azure ad to full standalone azure ad? we have hybrid azure ad with intune as end point management, before we use active directory with sccm as end point management. we only use on-prem ad as idp, no apps at all. my consultant said it is okay to only disable azure ad connect and go full cloud, but i doubt that process will work since azure will lose connectivity to the on prem ad, i think it will be impact to user account and password.
Hi Prajwal, This is done in the Windows 10 machine?
It was nicely written but what’s the difference between azure AD registered and hybrid ad joined device and their benefits.
Azure AD registered occurs when a device signs into an Office 365 service.
Hybrid AD joined device allows management and vision through Azure AD and OnPremise.
Whats the difference between hybid ad joined and AAD joined? i try to push my VMs Win 11 with feature updates but it doesnt work