question

VankVladimrVZPRsted-6008 avatar image
0 Votes"
VankVladimrVZPRsted-6008 asked jing-0476 rolled back

Device isnt recognized as hybrid joined device

Hello,
im trying to set policy, which will allow to access some applications only from Hybrid joined devices.
* Require Hybrid Azure AD joined
I performed (with some issues though) hybrid join on few computers.
These computers correctly show up in AAD portal

MyNotebook
Yes
Windows
10.0.17763.0
Hybrid Azure AD joined
N/A
None
N/A
11/26/2020, 7:41:38 AM
11/26/2020, 7:33:40 AM

DSREGCMD /status
+----------------------------------------------------------------------+
| Device State |
+----------------------------------------------------------------------+

          AzureAdJoined : YES
       EnterpriseJoined : NO
           DomainJoined : YES
             DomainName : Contoso

+----------------------------------------------------------------------+
| Ngc Prerequisite Check |
+----------------------------------------------------------------------+

         IsDeviceJoined : YES
          IsUserAzureAD : NO
          PolicyEnabled : NO
       PostLogonEnabled : YES
         DeviceEligible : YES
     SessionIsNotRemote : YES
         CertEnrollment : none
           PreReqResult : WillNotProvision

+----------------------------------------------------------------------+
| User State |
+----------------------------------------------------------------------+

                 NgcSet : NO
        WorkplaceJoined : YES
       WorkAccountCount : 1
          WamDefaultSet : NO


However,
testing this Conditional Access policy still fails, because join-type is not recognized.

Browser
Edge 18.17763
Operating System
Windows 10
Compliant
No
Managed
No
Join Type <empty field>

What could be wrong there, i performed hybrid join, in AAD objectID match with ID from dsregcmd command .. im lost there

azure-ad-connectazure-ad-hybrid-identity
· 5
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image amanpreetsingh-msft ·

Hi @VankVladimrVZPRsted-6008 · Just checking if you had a chance to test below solution.

0 Votes 0 ·
VankVladimrVZPRsted-6008 avatar image VankVladimrVZPRsted-6008 amanpreetsingh-msft ·

Hello @amanpreetsingh-msft ,
i believe your informations are not very helpful for me.

We have on-premise environment, we are only syncing computer accounts to AAD. We dont use AAD User logins at all.
Computer account is joining under SYSTEM account, not user account. And Logs says, that registration to AAD was successfull.

0 Votes 0 ·
amanpreetsingh-msft avatar image amanpreetsingh-msft VankVladimrVZPRsted-6008 ·

Hi @VankVladimrVZPRsted-6008 · Conditional access policy doesn't work this way. The users must be synced and part of the policy and should be authenticating from Azure AD as the purpose of Conditional Access policy is to control issuance of token to the users. I am interested to know If you have not synced the users, what option you have selected under "Users and groups" section of the conditional access policy?

0 Votes 0 ·
Show more comments

3 Answers

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered VankVladimrVZPRsted-6008 commented

Hi @VankVladimrVZPRsted-6008 · Thank you for reaching out.

As per below parameter in the output of your DSRegCmd command:

IsUserAzureAD : NO

The logged in user is not an Azure AD User, due to which, under SSO State, the AzureAdPrt becomes NO. Users that are logged in to Hybrid Azure AD Joined devices are supposed to use AzureAdPrt (Azure AD Primary Refresh Token) to authenticate against protected resources. If there is no PRT submitted by user for authentication, the device won't be recognized as Hybrid Azure AD joined device by Conditional Access and will be blocked.

Make sure that you are logged in with Azure AD User account and confirm IsUserAzureAD and AzureAdPrt are YES in the output of dsregcmd command. Check if Conditional Access policy is successfully getting applied afterwards.

If you still see one of these parameters as NO, please check Event Viewer > Application and Services logs > Microsoft > Windows > AAD and User device registration logs to identify the issue.

Feel free to tag me in your reply if you have any further question.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

VankVladimrVZPRsted-6008 avatar image VankVladimrVZPRsted-6008 ·

Hi @amanpreetsingh-msft
Your answer definitely help me.
Our UPN didnt matched with email address.. there was one of the main problems.. after we changed UPN on our test objects (users), AzureAdPrt was switched to YES.

My notebook works flawlessly as hybrid joined device. Conditional access work, the device is recognized.
My colleague, who also Hybrid join, still have some problems.

He changed UPN, dsregcmd looks the same as mine (with all required "YES"), eventlog shows no errors.. His device is still not recognized as hybrid joined (in AAD his computer account is Hybrid Azure AD joined, in sign-ins there is empty value in Join Type).


Not sure what to look for.. his ObjectID match, dscmdreg shows no errors .. He just have all settings as me..


0 Votes 0 ·
jing-0476 avatar image
0 Votes"
jing-0476 answered IantenCate-0125 commented

Any solution to this?
1 out of 200 of my user is having problem enrolling to intune because of this exact same thing.
User was set to UPN1 before and now transferred to UPN2 (both federation, not primary).
Like @abc1.com to @@abc2.com .

I can see that UPN are matched on Azure AD and localAD. But, I want to make sure that they are really matched in background.
Any idea how can I really test this user's UPN on both AzureAD and localAD?

That is my suspect after weeks of troubleshooting.


Thanks
@VankVladimrVZPRsted-6008 @amanpreetsingh-msft

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

IantenCate-0125 avatar image IantenCate-0125 ·

Did you ever get to the root of your problem here? We're seeing a similar issue (device claims hybrid join = OK based on AzureAdJoined:YES and DomainJoined:YES but AzureAdPrt: NO. We've adjusted UPN and email to match as part of a migration a few months back.

0 Votes 0 ·
jing-0476 avatar image
0 Votes"
jing-0476 answered jing-0476 rolled back

@IantenCate-0125
Yes. MFA is the problem.
When you are using MFA, and assigning apps on that, make sure the details matches the one on "AD".
Upon signing in, it uses the "AD" UPN. so in order to get AzureADPRT to YES, make sure that if you have MFA, O365 apps should match the one on AD.
Therefore you will experience SSO as well.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.