Tutorial: Configure hybrid Azure Active Directory join for federated domains

In a similar way to a user, a device is becoming another identity you want to protect and also use to protect your resources at any time and location. You can accomplish this goal by bringing your devices' identities to Azure AD using one of the following methods:

  • Azure AD join
  • Hybrid Azure AD join
  • Azure AD registration

By bringing your devices to Azure AD, you maximize your users' productivity through single sign-on (SSO) across your cloud and on-premises resources. At the same time, you can secure access to your cloud and on-premises resources with conditional access.

In this tutorial, you learn how to configure hybrid Azure AD join for devices that federated using ADFS.

  • Configure hybrid Azure AD join
  • Enable Windows down-level devices
  • Verify the registration
  • Troubleshoot


This tutorial assumes that you are familiar with:

To configure the scenario in this tutorial, you need:

  • Windows Server 2012 R2 with AD FS

  • Azure AD Connect version 1.1.819.0 or higher.

Beginning with version 1.1.819.0, Azure AD Connect provides you with a wizard to configure hybrid Azure AD join. The wizard enables you to significantly simplify the configuration process. The related wizard:

  • Configures the service connection points (SCP) for device registration

  • Backs up your existing Azure AD relying party trust

  • Updates the claim rules in your Azure AD trust

The configuration steps in this article are based on this wizard. If you have an older version of Azure AD Connect installed, you need upgrade it to 1.1.819 or higher. If installing the latest version of Azure AD Connect is not an option for you, see how to manually configure device registration.

Hybrid Azure AD join requires the devices to have access to the following Microsoft resources from inside your organization's network:

  • https://enterpriseregistration.windows.net
  • https://login.microsoftonline.com
  • https://device.login.microsoftonline.com
  • Your organization's STS (federated domains)
  • https://autologon.microsoftazuread-sso.com (If you are using or planning to use Seamless SSO)

Beginning with Windows 10 1803, if the instantaneous Hybrid Azure AD join for federated domain like AD FS fails, we rely on Azure AD Connect to sync the computer object in Azure AD that is subsequently used to complete the device registration for Hybrid Azure AD join.

If your organization requires access to the internet via an outbound proxy, starting with Windows 10 1709, you can configure proxy settings on your computer using a group policy object (GPO). If your computer is running a version earlier than Windows 10 1709, you must implement Web Proxy Auto-Discovery (WPAD) to enable Windows 10 computers to do device registration with Azure AD.

If your organization requires access to the Internet via an authenticated outbound proxy, you must make sure that your Windows 10 computers can successfully authenticate to the outbound proxy. Because Windows 10 computers run device registration using machine context, it is necessary to configure outbound proxy authentication using machine context. Follow up with your outbound proxy provider on the configuration requirements.

Configure hybrid Azure AD join

To configure a hybrid Azure AD join using Azure AD Connect, you need:

  • The credentials of a global administrator for your Azure AD tenant.

  • The enterprise administrator credentials for each of the forests.

  • The credentials of your AD FS administrator.

To configure a hybrid Azure AD join using Azure AD Connect:

  1. Launch Azure AD Connect, and then click Configure.


  2. On the Additional tasks page, select Configure device options, and then click Next.

    Additional tasks

  3. On the Overview page, click Next.


  4. On the Connect to Azure AD page, enter the credentials of a global administrator for your Azure AD tenant, and then click Next.

    Connect to Azure AD

  5. On the Device options page, select Configure Hybrid Azure AD join, and then click Next.

    Device options

  6. On the SCP page, perform the following steps, and then click Next:


    a. Select the forest.

    b. Select the authentication service. You must select AD FS server unless your organization has exclusively Windows 10 clients and you have configured computer/device sync or your organization is using SeamlessSSO.

    c. Click Add to enter the enterprise administrator credentials.

  7. On the Device operating systems page, select the operating systems used by devices in your Active Directory environment, and then click Next.

    Device operating system

  8. On the Federation configuration page, enter the credentials of your AD FS administrator, and then click Next.

    Federation configuration

  9. On the Ready to configure page, click Configure.

    Ready to configure

  10. On the Configuration complete page, click Exit.

    Configuration complete

Enable Windows down-level devices

If some of your domain-joined devices are Windows down-level devices, you need to:

  • Update device settings

  • Configure the local intranet settings for device registration

  • Control Windows down-level devices

Update device settings

To register Windows down-level devices, you need to make sure that the device settings to allow users to register devices in Azure AD are set. In the Azure portal, you can find this setting under:

Home > [Name of your tenant] > Devices - Device settings

The following policy must be set to All: Users may register their devices with Azure AD

Register devices

Configure the local intranet settings for device registration

To successfully complete hybrid Azure AD join of your Windows down-level devices, and to avoid certificate prompts when devices authenticate to Azure AD you can push a policy to your domain-joined devices to add the following URLs to the Local Intranet zone in Internet Explorer:

  • https://device.login.microsoftonline.com

  • Your organization's Security Token Service (STS - federated domains)

  • https://autologon.microsoftazuread-sso.com (for Seamless SSO).

Additionally, you need to enable Allow updates to status bar via script in the user’s local intranet zone.

Control Windows down-level devices

To register Windows down-level devices, you need to download and install a Windows Installer package (.msi) from the Download Center. For more information, click here.

Verify the registration

To verify the device registration state in your Azure tenant, you can use the Get-MsolDevice cmdlet in the Azure Active Directory PowerShell module.

When using the Get-MSolDevice cmdlet to check the service details:

  • An object with the device id that matches the ID on the Windows client must exist.
  • The value for DeviceTrustType must be Domain Joined. This is equivalent to the Hybrid Azure AD joined state on the Devices page in the Azure AD portal.
  • The value for Enabled must be True and DeviceTrustLevel must be Managed for devices that are used in conditional access.

To check the service details:

  1. Open Windows PowerShell as administrator.

  2. Type Connect-MsolService to connect to your Azure tenant.

  3. Type get-msoldevice -deviceId <deviceId>.

  4. Verify that Enabled is set to True.

Troubleshoot your implementation

If you are experiencing issues with completing hybrid Azure AD join for domain joined Windows devices, see:

Next steps