question

Rookie-4191 avatar image
0 Votes"
Rookie-4191 asked Crystal-MSFT commented

Intune GPO enrollment for on-prem domain join machines with different on-prem and Azure domain names

Hey everyone,

We are in process of implementing intune in our org. We have an onprem domain with domainname.corp and Azure Ad domain with domainname.com

On-premdomain: domainname.corp, domainname.com(Alternate domain)
AzureADdomain: domainname.com

Everything has been working fine since this setup which was couple of years ago, syncs are happening fine and Azure syncs the user fine with domainname.com as the users UPN.

We have intune setup for auto enrollment which has been fine so far for new machine setups.

For existing machines which are joined to our on-prem AD domainname.corp, the GPO is setup and it is initiating the join to Azure AD as expected by scheduling the tasks in scheduler
The issue we are having is user UPN, where they login to the machine with username@domainname.corp and it is failing the intune enrolment in the process because the UPN is not matching with Azure.
The solution at the moment is that we need to change the User object on the On-prem AD to be able to use the alternate domain domainname.com and then user can login with that FQDN on machine.

Would like to know if anyone else is having similar problem and is there a way where we can keep the domainname.corp sign in for the user and successfully use the GPO to enroll machines.
Thank you in advance for all the help.

azure-active-directorymem-intune-enrollment
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

Crystal-MSFT avatar image
0 Votes"
Crystal-MSFT answered Crystal-MSFT commented

@Rookie-4191, For GPO enrollment, one prerequisite is AzureAdPrt needs to be Yes.
https://docs.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy#verify-auto-enrollment-requirements-and-settings

If the on-premises AD users UPNs are different from your Azure AD UPN, Windows 10 or newer hybrid Azure AD join provides limited support for on-premises AD UPNs based on the authentication method. We can see if our scenario is supported.
https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan#review-on-premises-ad-users-upn-support-for-hybrid-azure-ad-join

In some environment, to make the AzureAdPrt as Yes, we will choose the same method as yours to add the UPN suffix in on-premise domain to make it works.

Hope it can help.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 3
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crystal-MSFT avatar image Crystal-MSFT ·

@Rookie-4191, Hope things are going well. I am writing to see if there's anything unclear in my previous post. if yes, feel free to let us know.

Have a nice day!

0 Votes 0 ·
Rookie-4191 avatar image Rookie-4191 Crystal-MSFT ·

Hi Crystal,

Yes the post was a helpful. I do see our or internal/on prem domain as verified in Azure AD. I am trying to check this attribute 'onPremisesUserPrincipalName' by connecting to Azure AD on PowerShell and checking on User for this attribute, but unable to find it.

Does this attribute populate when we have alternate signin to be configured on Azure AD connect ?

0 Votes 0 ·
Crystal-MSFT avatar image Crystal-MSFT Rookie-4191 ·

@Rookie-4191, Thanks for the reply. As Intune support, I am not familiar with this. Then I go to do some research and find maybe we can check the "onPremisesUserPrincipalName" to the user entity through Beta version of Microsoft Graph Explorer.
191691-image.png
Meanwhile, we can check if our UPN suffix is verified. Here is a link for the reference:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-userprincipalname#verified-upn-suffix

For more questions about Azure AD connect or Azure AD, to get correct support, I suggest to open a new thread and add tag like "azure-active-directory", "azure-ad-connect" .

Thanks for the understanding.


0 Votes 0 ·
image.png (97.4 KiB)