Microsoft Entra ID | Hybrid Azure AD Join Devices | Managed Domains 

Thanks for your acknowledgement.

Thank you for your kind words.

Glad it was helpful!

Glad you enjoy it!

Glad you enjoyed it!

Glad it helped!

Glad it helped.

Thank you..!!

Glad it helped!

That's the plan! :-)

Great suggestion!

Glad it was helpful!

Glad you liked it

Thanks for your kind words.

@@ConceptsWork for hybrid join ..enterpriseprt should be yes, but in your video I see as NO , Could you please explain

ADFS also offers device registration, and enterprise PRT is related to ADFS, please check this article for more details. docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-faq

I did not find info about enterprisePRT. I know abt session cookie ...acess token... My question was why enterprisePrt was set to No if it is a hydrid join... If the machine is hybrid Join, azureadprt and enterprisePRT should be YES. Please let me if my understanding is wrong

Enterprise PRT will be available, if you have implemented Device Registration of ADFS. Enterprise PRT is not required for Hybrid Azure AD join Devices.

Glad you liked it!

Glad you liked it!

Hi David, thanks for the kind words. Just wanted to understand your requirement related to intune. The device which are hybrid azure ad joined are already managed through on-prem, can you please share some more details in terms of how you want to manage the from intune.

​@@ConceptsWork We are in the process of purchasing 150 laptops for staff that will be used both onsite and offsite. If they are onsite, they will be either connected via cable to our main network, or on our corporate wifi for direct access to the DCs and managed via traditional on-prem group policies etc. I am pretty new to InTune, but we want to basically make sure all of our devices are registred to InTune so that we can retain some sort of control when they are off-network too. I managed to get this working though. Initially, for those devices that are Hybrid Joined, the MDM was showing as "None". However, after making some GPO changes, my devices now are showing as Hybrid Joined with InTune as their MDM. We are not really going to configure much on InTune, but it will be nice to have the option to in the future. I hope this make sense, and I hope this is a correct use-case for InTune. BYOD devices, at the moment, we're not really expecting to get onto InTune or Azure Joined.

Glad you enjoyed it

Hi Kanika, though there is a membership, for this, but if it is only this PPT that you need, please send us an email at learnconceptswork@gmail.com

ru-vid.com/group/PL8wOlV8Hv3o9uHl0XFfI6_katp6BXNVjb

You have to ask users to use VPN, as the task to renew PRT is initiated in every unlock of the machine, also you can create a scheduled task which should trigger device registration at least 3 or 4 times a day, once the device is successfully, PRT should work as expected, but just FYI, renewal of PRT requires line of site for DC in federated environments.

Yes, this will keep the configuration file, identitical on all the servers.

PRT is per user and device specific. Regarding more details on how PRT works, please check this article - docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token

Unfortunately not, as the authentication authority for users is still on-prem AD.

Start from enabling Hybrid Azure AD join from AAD connect, make sure all the network configuration is in place. When the SCP and the network endpoints are enabled win 10 will get automatically joined. For windows 7 check this article - docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-managed-domains#enable-windows-downlevel-devices

Yes, for windows down level devices, all these links should be added as seamless sso is one of the pre-reqs.

@@ConceptsWork oh! so if all my devices are windows 10, then no need to add these URLs?

yes, i have the same question. seems a little confusing and hoping don't have disjoin machines to get ADHybrid join to work.

Thanks

Yes with auto pilot you need connector and line of site of DC.

@@ConceptsWork my current environment is a hybrid, I haven’t setup intune connector yet. will you still be able to do the manual enrollment and join machine to hybrid AD join even though you have autopilot set up? Currently my environment is small everything has been setup manually and manual AD join.

I see that the machine is azure AD join. but MDMurl and MDMtouurl are empty, how do you fix that? cause it to register with as hybrid ad join, but can't push application nor policy to it.

A device which is domain joined cannot be manually Azure AD joined from settings pane.

This applies to Windows 10 1709 or above:- "If a machine is already joined to Active Directory, the moment you enable device registration from AAD connect, the SCP of the tenant gets registered in AD, now from the next time when device registration will be triggered the machine will create the cert and save it in the machine object. When this object is synced to azure AD in next sync cycle, the user will start receiving PRT.

@@ConceptsWork okay, so i don't have to disjoin the machine and rejoin it just like what you did right?

@@ConceptsWork when will the next time device registration trigger if the machine is already domain joined, does it happen when synchronisation cycle happen next time?

As of now there is no method to Migrate machines from on-prem to Azure AD.

@@ConceptsWork unless you want everything fresh or user 3rd party tools to migrate user profiles. am i right?

No, the first authentication will be sent to Local AD itself.

​@@ConceptsWork, so it is not possible.. I would have thought otherwise being Hybrid!

Yes that's correct.

For the first question, which version of AAD connect you have, also make sure that you are selecting hybrid option. For 2nd question - Its not about user, its about machine object which has to be synced to Azure AD for Hybrid Azure AD join to work. If the changes are made on a dc which is not directly contacted by AAD connect, and these changes are not reflecting in Azure AD, it can be a replication issue between DC's.

The machines must contact AD, as there is a cert which is written to the user certificate attribute of computer object. This applies to Windows 10 1709 or above:- "If a machine is already joined to Active Directory, the moment you enable device registration from AAD connect, the SCP of the tenant gets registered in AD, now from the next time when device registration will be triggered the machine will create the cert and save it in the machine object. When this object is synced to azure AD in next sync cycle, the user will start receiving PRT.

@@ConceptsWork Thank you for the information. So, once I enable the device registration from AAD connect, in order to get the Certificate the Machine must contact the on Prem Domain Controller for first time? Once thats done it can be offsite? How about service password reset? Is that the same case well? Thank you again

Even with Intune Connector, the machines must be able to contact your domain controller. Please check this article - docs.microsoft.com/en-us/mem/intune/enrollment/windows-autopilot-hybrid

@@ConceptsWork Does it means that for WFH scenario, It's not possible for on prem join domain PC and has SCCM agent to setup hybrid azure ad join without VPN? What's the best way to migrate from AD and SCCM managed to Azure AD and Intune managed for WFH scenario, PC are already join to onprem AD and installed with SCCM agent but have no VPN

Infact, I just did an repro in my personal tenant and it is exactly the same. I set the GPO to trust all the sites specified in the documentation as well as your video, my AAD Connect is configured for the Hybrid AAD Join with Passthrough Authentication and SSO Enabled. Also, I can see my Computer Object being synced to the Cloud and when I join my machine to the domain, I can see the User device registration logs confirming that the device has been joined but while checking the dsregcmd status it shows that it has not obtained any PRT but the device is joined to AAD. Your technical insights would help me solve issue in my personal tenant as well as Production. The only difference in my prod is we are using Federated Domain and in personal I am using Managed. Thanks a lot in advance!!

Hello Ganesh, Thanks for being so responsive on all our videos, please reach us on learnconceptswork@gmail.com, and we will resolve this issue. Regards, Conceptswork.

Hello Ganesh, what are your findings after checking with concept team. I had a similar issue. Any inputs from your end is highly appreciated.

@@jadhav44 any inputs from concept team regarding your issue, as I have seen a similar situation at my end.

The activity timestamp will only be populated when there is a valid PRT on the device. As soon as the device is synced from on-prem, portal shows that device as hybrid, but the activity time stamp also has to be populated.

Make sure you have enabled automatic enrollment in Endpoint manager portal and MDM scope is also set for all the users. In this case when the user will join the device to Azure AD, it will be automatically enrolled to MDM, also if you deployed the onboarding to Microsoft defender for endpoints that will also happen seamlessly.

Yes, you can.

No, adding these url's to GPO will add them to local intranet zone. The access to these URL's should be whitelisted at the network.

@@ConceptsWork Meaning so they can be contacted by Down level devices? but for devices that are Windows 10 and updated those 4 URL's must be whitelisted in the network? My device can contact the 2 out for 4 URL"S . For enterpriseregistration.windows.net/ i get error endpoint not availble. I appreciate your help.

One more thing, will the SCP be installed after the AD sync configuration? or it should be there by default?

You can ask users to remain connect on VPN for some days and get a gpo created which should trigger dsregcmd task at least 3-4 times a day.

No, once the hybrid process is completed, I mean the machine is able to contact the respective endpoints, user certificate attribute will be populated.

No, you don't have to do it manually, if all the config is in place as well as machines get line of site to DC, it will work as expected.

Syncing machines will not going to make any impact in the environment. This can be one of the steps in terms of getting the environment ready for Hybrid Deployment.

@@ConceptsWork thanks for replying. Btw, i noticed my forest functional level is 2008 but the domain is already 2008 r2. Will it work or do i have to update the forest level. Back to impact, what about after enabling hybrid from ad connect? How will it impact my domain users?

By any chance have you removed your machine manually, by running the command dsregcmd /leave