Tutorial: Configure hybrid Azure Active Directory join for managed domains

In this tutorial, you learn how to configure hybrid Azure Active Directory (Azure AD) join for Active Directory domain-joined devices. This method supports a managed environment that includes both on-premises Active Directory and Azure AD.

Like a user in your organization, a device is a core identity you want to protect. You can use a device's identity to protect your resources at any time and from any location. You can accomplish this goal by managing device identities in Azure AD. Use one of the following methods:

  • Azure AD join
  • Hybrid Azure AD join
  • Azure AD registration

This article focuses on hybrid Azure AD join.

Bringing your devices to Azure AD maximizes user productivity through single sign-on (SSO) across your cloud and on-premises resources. You can secure access to your cloud and on-premises resources with Conditional Access at the same time.

You can deploy a managed environment by using password hash sync (PHS) or pass-through authentication (PTA) with seamless single sign-on. These scenarios don't require you to configure a federation server for authentication.

In this tutorial, you learn how to:

  • Configure hybrid Azure AD join
  • Enable Windows down-level devices
  • Verify joined devices
  • Troubleshoot


  • The Azure AD Connect (1.1.819.0 or later)
  • The credentials of a global administrator for your Azure AD tenant
  • The enterprise administrator credentials for each of the forests

Familiarize yourself with these articles:


Azure AD doesn't support smartcards or certificates in managed domains.

Verify that Azure AD Connect has synced the computer objects of the devices you want to be hybrid Azure AD joined to Azure AD. If the computer objects belong to specific organizational units (OUs), configure the OUs to sync in Azure AD Connect. To learn more about how to sync computer objects by using Azure AD Connect, see Organizational unit–based filtering.


To get device registration sync join to succeed, as part of the device registration configuration, do not exclude the default device attributes from your Azure AD Connect sync configuration. To learn more about default device attributes synced to AAD, see Attributes synchronized by Azure AD Connect.

Beginning with version 1.1.819.0, Azure AD Connect includes a wizard to configure hybrid Azure AD join. The wizard significantly simplifies the configuration process. The wizard configures the service connection points (SCPs) for device registration.

The configuration steps in this article are based on using the wizard in Azure AD Connect.

Hybrid Azure AD join requires devices to have access to the following Microsoft resources from inside your organization's network:

  • https://enterpriseregistration.windows.net
  • https://login.microsoftonline.com
  • https://device.login.microsoftonline.com
  • https://autologon.microsoftazuread-sso.com (If you use or plan to use seamless SSO)


If your organization uses proxy servers that intercept SSL traffic for scenarios like data loss prevention or Azure AD tenant restrictions, ensure that traffic to these URLs are excluded from TLS break-and-inspect. Failure to exclude these URLs may cause interference with client certificate authentication, cause issues with device registration, and device-based Conditional Access.

If your organization requires access to the internet via an outbound proxy, you can use implementing Web Proxy Auto-Discovery (WPAD) to enable Windows 10 computers for device registration with Azure AD. To address issues configuring and managing WPAD, see Troubleshooting Automatic Detection. In Windows 10 devices prior to 1709 update, WPAD is the only available option to configure a proxy to work with Hybrid Azure AD join.

If you don't use WPAD, you can configure WinHTTP proxy settings on your computer beginning with Windows 10 1709. For more information, see WinHTTP Proxy Settings deployed by GPO.


If you configure proxy settings on your computer by using WinHTTP settings, any computers that can't connect to the configured proxy will fail to connect to the internet.

If your organization requires access to the internet via an authenticated outbound proxy, make sure that your Windows 10 computers can successfully authenticate to the outbound proxy. Because Windows 10 computers run device registration by using machine context, configure outbound proxy authentication by using machine context. Follow up with your outbound proxy provider on the configuration requirements.

Verify the device can access the above Microsoft resources under the system account by using the Test Device Registration Connectivity script.

Configure hybrid Azure AD join

To configure a hybrid Azure AD join by using Azure AD Connect:

  1. Start Azure AD Connect, and then select Configure.

  2. In Additional tasks, select Configure device options, and then select Next.

    Additional tasks

  3. In Overview, select Next.

  4. In Connect to Azure AD, enter the credentials of a global administrator for your Azure AD tenant.

  5. In Device options, select Configure Hybrid Azure AD join, and then select Next.

    Device options

  6. In Device operating systems, select the operating systems that devices in your Active Directory environment use, and then select Next.

    Device operating system

  7. In SCP configuration, for each forest where you want Azure AD Connect to configure the SCP, complete the following steps, and then select Next.

    1. Select the Forest.
    2. Select an Authentication Service.
    3. Select Add to enter the enterprise administrator credentials.


  8. In Ready to configure, select Configure.

  9. In Configuration complete, select Exit.

Enable Windows down-level devices

If some of your domain-joined devices are Windows down-level devices, you must:

  • Configure the local intranet settings for device registration
  • Configure seamless SSO
  • Install Microsoft Workplace Join for Windows down-level computers

Windows down-level devices are devices with older operating systems. The following are Windows down-level devices:

  • Windows 7
  • Windows 8.1
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2


Windows 7 support ended on January 14, 2020. For more information, see Windows 7 support ended.

Configure the local intranet settings for device registration

To complete hybrid Azure AD join of your Windows down-level devices and to avoid certificate prompts when devices authenticate to Azure AD, you can push a policy to your domain-joined devices to add the following URLs to the local intranet zone in Internet Explorer:

  • https://device.login.microsoftonline.com
  • https://autologon.microsoftazuread-sso.com

You also must enable Allow updates to status bar via script in the user's local intranet zone.

Configure seamless SSO

To complete hybrid Azure AD join of your Windows down-level devices in a managed domain that uses password hash sync or pass-through authentication as your Azure AD cloud authentication method, you must also configure seamless SSO.

Install Microsoft Workplace Join for Windows down-level computers

To register Windows down-level devices, organizations must install Microsoft Workplace Join for non-Windows 10 computers. Microsoft Workplace Join for non-Windows 10 computers is available in the Microsoft Download Center.

You can deploy the package by using a software distribution system like Microsoft Endpoint Configuration Manager. The package supports the standard silent installation options with the quiet parameter. The current version of Configuration Manager offers benefits over earlier versions, like the ability to track completed registrations.

The installer creates a scheduled task on the system that runs in the user context. The task is triggered when the user signs in to Windows. The task silently joins the device with Azure AD by using the user credentials after it authenticates with Azure AD.

Verify the registration

Here are 3 ways to locate and verify the device state:

Locally on the device

  1. Open Windows PowerShell.
  2. Enter dsregcmd /status.
  3. Verify that both AzureAdJoined and DomainJoined are set to YES.
  4. You can use the DeviceId and compare the status on the service using either the Azure portal or PowerShell.

Using the Azure portal

  1. Go to the devices page using a direct link.
  2. Information on how to locate a device can be found in How to manage device identities using the Azure portal.
  3. If the Registered column says Pending, then Hybrid Azure AD Join has not completed.
  4. If the Registered column contains a date/time, then Hybrid Azure AD Join has completed.

Using PowerShell

Verify the device registration state in your Azure tenant by using Get-MsolDevice. This cmdlet is in the Azure Active Directory PowerShell module.

When you use the Get-MSolDevice cmdlet to check the service details:

  • An object with the device ID that matches the ID on the Windows client must exist.
  • The value for DeviceTrustType is Domain Joined. This setting is equivalent to the Hybrid Azure AD joined state on the Devices page in the Azure AD portal.
  • For devices that are used in Conditional Access, the value for Enabled is True and DeviceTrustLevel is Managed.
  1. Open Windows PowerShell as an administrator.
  2. Enter Connect-MsolService to connect to your Azure tenant.

Count all Hybrid Azure AD joined devices (excluding Pending state)

(Get-MsolDevice -All -IncludeSystemManagedDevices | where {($_.DeviceTrustType -eq 'Domain Joined') -and (([string]($_.AlternativeSecurityIds)).StartsWith("X509:"))}).count

Count all Hybrid Azure AD joined devices with Pending state

(Get-MsolDevice -All -IncludeSystemManagedDevices | where {($_.DeviceTrustType -eq 'Domain Joined') -and (-not([string]($_.AlternativeSecurityIds)).StartsWith("X509:"))}).count

List all Hybrid Azure AD joined devices

Get-MsolDevice -All -IncludeSystemManagedDevices | where {($_.DeviceTrustType -eq 'Domain Joined') -and (([string]($_.AlternativeSecurityIds)).StartsWith("X509:"))}

List all Hybrid Azure AD joined devices with Pending state

Get-MsolDevice -All -IncludeSystemManagedDevices | where {($_.DeviceTrustType -eq 'Domain Joined') -and (-not([string]($_.AlternativeSecurityIds)).StartsWith("X509:"))}

List details of a single device:

  1. Enter get-msoldevice -deviceId <deviceId> (This is the DeviceId obtained locally on the device).
  2. Verify that Enabled is set to True.

Troubleshoot your implementation

If you experience issues completing hybrid Azure AD join for domain-joined Windows devices, see:

Next steps

Advance to the next article to learn how to manage device identities by using the Azure portal.