In almost all the cases, the organization is not in a position to get away from the local domain as its tightly connected with other services that are running on-premises and maintaining the on-premises identity is vital.
Further, you have the on-premises domain and the workstations are joined to it, GPOs being pushed across and everything is being managed centrally with the ACLs/ security groups and etc.
Enter Azure AD Connect Sync that combines the on-premises with the Cloud world.
In most cases, the journey to cloud will start by migrating the Exchange workloads to Exchange Online and by installing Office 365 suite and consuming the benefits that comes with the cloud license, and with this way the hybrid identity is made and will be a part of a much bigger universe.
I would like to focus on the Workstations as most probably they are still only local domain joined yet and not combined with the Azure AD.
Hybrid Azure AD Join
Hybrid Azure AD Join is basically best of both worlds. You get the GPOs added via the local domain controller as usual, and compliance related policies via Azure AD Conditional Access Policies and especially manage the device(s) via Intune.
You my not use Intune today, but maybe in few months time. Better be prepared for the change.
Among the capabilities after Joining a workstation in this mode
- SSO on both cloud and on-premises resources
- Self-service Password Reset and Windows Hello PIN reset on lock screen
- Enterprise State Roaming across devices
- Security enforcement via Conditional Access Policies
- Intune management
Some quick notes when considering Hybrid AAD Join
- This is for the devices owned by the organization
- Windows 10 version (Windows 10 1803 (with KB4489894 applied) – this will process the auto removal of AAD Registered Device entry once the device is hybrid AAD joined
- Windows down level versions – Windows 7 and Windows 8.1
- Domain Controller Server – Windows Server 2008 R2 and above
- Azure AD Connect should be installed – Auto SCP creation is available from Version 1.1.819.0 or above
- To use Conditional Access Policies, the user should have at least Azure AD P1 license applied
- To add the device in to Intune – EMS licenses required for the user who is using the device
- Workstation should have internet connectivity or proxy should be enabled to access the Azure AD endpoints
- Hybrid Azure AD Join option to be enabled from Azure AD Connect
- CNAME record added to the public DNS (replace company_domain.com with the registered domain name
- Computers OU or the OU that contains the workstations to be setup as a syncing OU
- Install the Intune Connector for Active Directory on a domain joined server and sign in with Device Administrator account (make sure you turn off IE enhanced security to sign in to the connector successfully)
Azure AD Registered Device state
You may notice that your devices are already in the Azure AD devices blade. The state however can be Azure AD Registered.
What does this mean? In most cases these are the devices which are unmanaged and BYOD.
Remember that time you install Office 365 Suite and it gives you the option to select manage my device? When you check that option, it will register the device in Azure AD but the admins will not be able to manage it as its not properly joined to the Azure AD.
Windows 10 1803 and above with the KB4489894 update will make sure when you add the device with Hybrid Join, to auto remove the Azure AD Registered state.
Prior to 1803 you have to remove the entries manually.
Windows 7 and Windows 8.1 should have the workplace join client installed so they’ll be able to communicate with the Azure AD. I’m not going to stress on the down-level Windows workstations given the fact that Windows 10 being the real cloud-ready OS
Check the current state via dsregcmd
Open Command Prompt and Run dsregcmd /status to see the current status of the join.
The below screen shows the machine is only joined to the local domain but not to the Azure AD.
Prepare the Azure AD Connect for Hybrid Azure AD Join
This needs to be activated in order computer object to be written in the Azure AD devices.
Open Azure AD Connect and navigate to Configure Device Options
Note the overview. Click Next and connect to the service
Select Configure Hybrid Azure AD Join and click Next
Select the appropriate option. Select the 2nd option if you have down-level machines
Add your forest. If you have multiple forests, you can add either one or all or some. If you don’t have the Enterprise Admin rights for the forest, download the below script shown in the screenshot and provide it to the Enterprise Administrator to execute. Once its done, press Next
This will then create the SCP (Service Connection Point) for you.
In the Configuration partition of ADSI there will be a new node called CN=Device Registration Configuration.
ADSI > Configuration > Services shows the new node after this step
Notice how it has now taken the tenant name in the node
AAD Connect will finish successfully. You can Exit the tool now.
Important! Make sure the OU that contains computer objects is syncing list of OUs in Azure AD Connect
Preparing the workstation
There’s nothing much in preparing a workstation to make it Azure AD join when it’s already domain joined.
The eligible workstation will have a scheduled task that runs every hour or in the login to join the computer object to the Azure AD.
Or if you run the dsregcmd command to join the workstation manually, it will kick off the schedule.
The Scheduled Task is as below. Prior Windows 10 1607 it was a GPO to enable the task scheduler
Event Viewer logging
It is important to check the Event Logs for any errors or for the status.
Navigate to Applications and Service Logs > Microsoft > Windows > User Device Registration > Admin
Automatic Registration Successful event
Once the machine is successfully added, run the dsregcmd /status to check the status. You will now see YES for the AzureADJoined parameter.
Scroll further to see other information in the status.
Force run the AAD Connect Sync or wait until it runs in the next cycle
Force run command:
Start-ADSyncSyncCycle -PolicyType delta
If you now check the Synchronization Service Manager, you can notice the Add and if you dig further, you’ll be able to see the computer device and the certificate thumbprint in the userCertificate as well
userCertificate in the Computer Object in the AD
Finally, After the above step, make sure the same “Azure AD registered” user has logged in to the computer by using the UPN. The Devices in Azure AD portal, you’ll be able to see the device with the join type Hybrid Azure AD Joined
Click on the Device to see further info
Investigate Join Failures
Refer this article from Microsoft to troubleshoot join failures.
Eg – One of the errors are Device Not found – This can be due to the device doesn’t have a proper inter connection or the AAD Connect Sync hasn’t executed yet
At this stage you can make sure your workstation is now successfully joined to the Azure AD in the Hybrid Azure AD Join method. If the Windows is in the correct level and the that machine can see the Azure AD end points joining the machines will be easy.
Maybe you don’t have to join all the machines straight away. For this, create another OU and filter it out from the AAD Connect. In this way, only the required machines will get synced.
Now that the machines are joined to Azure AD, I will write on compliance and Intune part in my next article.