This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 57.99999999999999%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEA%3C/text%3E%3C/svg%3E)
Hello, Guys
In my environment we have set in AD connected Azure AD Joined devices, we also have Pass hash Sync, now we want to get config some conditional access but it need to be state Hybrid Joined.
The devices has Azure AD joined, how can we migrate to Hybrid Joined, without impact users, we need to change in AD connect in that it?
For devices that are purely AAD joined cannot be changed to hybrid-AAD unless you use auto-pilot with hybrid AAD join profile or manually join the devices to on-prem domain.
The hybrid azure AD joined refers to a device joined to on-prem domain+ joined to AAD.
For conditional access, the hybrid AAD is not mandatory, you can use other options to configure the in conditional access such as device compliant state (if have intune enrolled and compliant).
+1 to Eswar's answers.
To summarize:
The requirement for conditional access is for the system and user to have an Azure AD identity. This is perfectly fulfilled when a device is full Azure AD joined.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 78%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
The requirement for conditional access is for the system and user to have an Azure AD identity. This is perfectly fulfilled when a device is full Azure AD joined.
Azure AD Joined devices can be personal devices as well, right?
I have created a conditional access policy for a specific app that I don't want the users to open on a personal device. As a condition I checked the Hybrid AAD option. But when I try to open the app on my company machine which is a Ad joined and Azure AD Registered device, I'm blocked..
Is there any way to block certain enterprise applications from Azure AD Registered devices?
Yes. Use a compliance policy in Intune and in your conditional access policy require that the device is compliant.
AAD joined devices can also be personal but it depends on how you allow the devices to be enrolled.
you can create a enrollment restrictions to block the personal windows devices. https://learn.microsoft.com/en-us/mem/intune/enrollment/enrollment-restrictions-set
For the conditional access, you can select Under Access controls > Grant, select Require device to be marked as compliant.
If you want to block the AAD registered devices, you can create a block policy with conditions, device state, configure, exclude hybrid AAD and compliant. So any device that is not hybrid AAD or AAD compliant will be blocked.
Regards,
Eswar
www.eskonr.com
If the response is helpful, please click "Accept Answer" and upvote it.
Now I understand the construction
The problem is that a lot of those personal machines (with machine-name "DESKTOP-xxxx") are in some way AAD Registered and not AAD Joined?
Could be a config error that was made when setting up AD Connect but now I'm unable to distinguish company owned machines with personal machines...
Is there any way to change that? Preferably without any problems for the home users?
you can change the ownership of the devices (that you are sure of corporate) from personal to corporate.
you can also create AAD Sec group to find the list of personal vs corporate windows devices for further action.
Regards,
Eswar
www.eskonr.com
If the response is helpful, please click "Accept Answer" and upvote it.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 84%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
Just add an official conditional access link and hope it helpful for you.