Enable domain-joined Windows 10 devices to be managed by Microsoft 365 for business

If your organization uses Windows Server Active Directory on-premises, you can set up Microsoft 365 for business to protect your Windows 10 devices, while still maintaining access to on-premises resources that require local authentication. To set up this protection, you can implement Hybrid Azure AD joined devices. These devices are joined to both your on-premises Active Directory and your Azure Active Directory.

This video describes the steps for how to set this up for the most common scenario, which is also detailed in the steps that follow.

1. Prepare for Directory Synchronization

Before you synchronize your users and computers from the local Active Directory Domain, review Prepare for directory synchronization to Office 365. In particular:

  • Make sure that no duplicates exist in your directory for the following attributes: mail, proxyAddresses, and userPrincipalName. These values must be unique and any duplicates must be removed.

  • We recommend that you configure the userPrincipalName (UPN) attribute for each local user account to match the primary email address that corresponds to the licensed Microsoft 365 user. For example: *mary.shelley@contoso.com* rather than *mary@contoso.local*

  • If the Active Directory domain ends in a non-routable suffix like .local or .lan, instead of an internet routable suffix such as .com or .org, adjust the UPN suffix of the local user accounts first as described in Prepare a non-routable domain for directory synchronization.

2. Install and configure Azure AD Connect

To synchronize your users, groups, and contacts from the local Active Directory into Azure Active Directory, install Azure Active Directory Connect and set up directory synchronization. See Set up directory synchronization for Office 365 to learn more.


The steps are exactly the same for Microsoft 365 for business.

As you configure your options for Azure AD Connect, we recommend that you enable Password Synchronization, Seamless Single Sign-On, and the password writeback feature, which is also supported in Microsoft 365 for business.


There are some additional steps for password writeback beyond the check box in Azure AD Connect. For more information, see How-to: configure password writeback.

3. Configure Hybrid Azure AD Join

Before you enable Windows 10 devices to be Hybrid Azure AD joined, make sure that you meet the following prerequisites:

  • You're running the latest version of Azure AD Connect.

  • Azure AD connect has synchronized all the computer objects of the devices you want to be hybrid Azure AD joined. If the computer objects belong to specific organizational units (OU), then make sure these OUs are set for synchronization in Azure AD connect as well.

To register existing domain-joined Windows 10 devices as Hybrid Azure AD joined, follow the steps in the Tutorial: Configure hybrid Azure Active Directory join for managed domains. This hybrid-enables your existing on-premises Active Directory joined Windows 10 computers and make them cloud ready.

4. Enable automatic enrollment for Windows 10

To automatically enroll Windows 10 devices for mobile device management in Intune, see Enroll a Windows 10 device automatically using Group Policy. You can set the Group Policy at a local computer level, or for bulk operations, you can use the Group Policy Management Console and ADMX templates to create this Group Policy setting on your Domain Controller.

5. Configure Seamless Single Sign-On

Seamless SSO automatically signs users into their Microsoft 365 cloud resources when they use corporate computers. Simply deploy one of the two Group Policy options described in Azure Active Directory Seamless Single Sign-On: Quick start. The Group Policy option doesn't allow users to change their settings, while the Group Policy Preference option sets the values but also leaves them user-configurable.

6. Set up Windows Hello for Business

Windows Hello for Business replaces passwords with strong two-factor authentication (2FA) for signing into a local computer. One factor is an asymmetric key pair, and the other is a PIN or other local gesture such as fingerprint or facial recognition if your device supports it. We recommend that you replace passwords with 2FA and Windows Hello for Business where possible.

To configure Hybrid Windows Hello for Business, review the Hybrid Key trust Windows Hello for Business Prerequisites. Then follow the instructions in Configure Hybrid Windows Hello for Business key trust settings.