Tutorial: Configure hybrid Azure Active Directory join for managed domains
Like a user in your organization, a device is a core identity you want to protect. You can use a device's identity to protect your resources at any time and from any location. You can accomplish this goal by bringing device identities and managing them in Azure Active Directory (Azure AD) by using one of the following methods:
- Azure AD join
- Hybrid Azure AD join
- Azure AD registration
Bringing your devices to Azure AD maximizes user productivity through single sign-on (SSO) across your cloud and on-premises resources. You can secure access to your cloud and on-premises resources with Conditional Access at the same time.
In this tutorial, you learn how to configure hybrid Azure AD join for Active Directory domain-joined computers devices in a managed environment.
A managed environment can be deployed either through password hash sync (PHS) or pass-through authentication (PTA) with seamless single sign-on. These scenarios don't require you to configure a federation server for authentication.
In this tutorial, you learn how to:
- Configure hybrid Azure AD join
- Enable Windows down-level devices
- Verify joined devices
This tutorial assumes that you're familiar with these articles:
- What is a device identity?
- How to plan your hybrid Azure AD join implementation
- How to do controlled validation of hybrid Azure AD join
Azure AD doesn't support smartcards or certificates in managed domains.
To configure the scenario in this article, you need the latest version of Azure AD Connect (1.1.819.0 or later) installed.
Verify that Azure AD Connect has synced the computer objects of the devices you want to be hybrid Azure AD joined to Azure AD. If the computer objects belong to specific organizational units (OUs), you must also configure the OUs to sync in Azure AD Connect. To learn more about how to sync computer objects by using Azure AD Connect, see Configure filtering by using Azure AD Connect.
Beginning with version 1.1.819.0, Azure AD Connect includes a wizard that you can use to configure hybrid Azure AD join. The wizard significantly simplifies the configuration process. The wizard configures the service connection points (SCPs) for device registration.
The configuration steps in this article are based on using the wizard in Azure AD Connect.
Hybrid Azure AD join requires devices to have access to the following Microsoft resources from inside your organization's network:
https://autologon.microsoftazuread-sso.com(If you use or plan to use seamless SSO)
If your organization requires access to the internet via an outbound proxy, Microsoft recommends implementing Web Proxy Auto-Discovery (WPAD) to enable Windows 10 computers for device registration with Azure AD. If you encounter issues configuring and managing WPAD, see Troubleshoot automatic detection.
If you don't use WPAD and need to configure proxy settings on your computer, you can do so beginning with Windows 10 1709. For more information, see Configure WinHTTP settings using a group policy object (GPO).
If you configure proxy settings on your computer by using WinHTTP settings, any computers that can't connect to the configured proxy will fail to connect to the internet.
If your organization requires access to the internet via an authenticated outbound proxy, you must make sure that your Windows 10 computers can successfully authenticate to the outbound proxy. Because Windows 10 computers run device registration by using machine context, you must configure outbound proxy authentication by using machine context. Follow up with your outbound proxy provider on the configuration requirements.
To verify if the device is able to access the above Microsoft resources under the system account, you can use Test Device Registration Connectivity script.
Configure hybrid Azure AD join
To configure a hybrid Azure AD join using Azure AD Connect, you need:
- The credentials of a global administrator for your Azure AD tenant
- The enterprise administrator credentials for each of the forests
To configure a hybrid Azure AD join by using Azure AD Connect:
Start Azure AD Connect, and then select Configure.
On the Additional tasks page, select Configure device options, and then select Next.
On the Overview page, select Next.
On the Connect to Azure AD page, enter the credentials of a global administrator for your Azure AD tenant.
On the Device options page, select Configure Hybrid Azure AD join, and then select Next.
On the SCP page, for each forest where you want Azure AD Connect to configure the SCP, complete the following steps, and then select Next:
- Select the forest.
- Select the authentication service.
- Select Add to enter the enterprise administrator credentials.
On the Device operating systems page, select the operating systems that devices in your Active Directory environment use, and then select Next.
On the Ready to configure page, select Configure.
On the Configuration complete page, select Exit.
Enable Windows downlevel devices
If some of your domain-joined devices are Windows downlevel devices, you must:
- Configure the local intranet settings for device registration
- Configure seamless SSO
- Install Microsoft Workplace Join for Windows downlevel computers
Configure the local intranet settings for device registration
To successfully complete hybrid Azure AD join of your Windows downlevel devices and to avoid certificate prompts when devices authenticate to Azure AD, you can push a policy to your domain-joined devices to add the following URLs to the local intranet zone in Internet Explorer:
You also must enable Allow updates to status bar via script in the user’s local intranet zone.
Configure seamless SSO
To successfully complete hybrid Azure AD join of your Windows downlevel devices in a managed domain that uses PHS or PTA as your Azure AD cloud authentication method, you must also configure seamless SSO.
Install Microsoft Workplace Join for Windows downlevel computers
To register Windows downlevel devices, organizations must install Microsoft Workplace Join for non-Windows 10 computers. Microsoft Workplace Join for non-Windows 10 computers is available in the Microsoft Download Center.
You can deploy the package by using a software distribution system like System Center Configuration Manager. The package supports the standard silent installation options with the
quiet parameter. The current branch of Configuration Manager offers benefits over earlier versions, like the ability to track completed registrations.
The installer creates a scheduled task on the system that runs in the user context. The task is triggered when the user signs in to Windows. The task silently joins the device with Azure AD by using the user credentials after it authenticates with Azure AD.
Verify the registration
When you use the Get-MSolDevice cmdlet to check the service details:
- An object with the device ID that matches the ID on the Windows client must exist.
- The value for DeviceTrustType must be Domain Joined. This setting is equivalent to the Hybrid Azure AD joined state on the Devices page in the Azure AD portal.
- For devices that are used in Conditional Access, the value for Enabled must be True and DeviceTrustLevel must be Managed.
To check the service details:
- Open Windows PowerShell as an administrator.
Connect-MsolServiceto connect to your Azure tenant.
get-msoldevice -deviceId <deviceId>.
- Verify that Enabled is set to True.
Troubleshoot your implementation
If you experience issues with completing hybrid Azure AD join for domain-joined Windows devices, see:
- Troubleshoot hybrid Azure AD join for Windows current devices
- Troubleshoot hybrid Azure AD join for Windows downlevel devices
Learn how to manage device identities by using the Azure portal.