Configure Hybrid Join in 2 Steps

Configure Hybrid Join

This is for you if you wish to Configure Hybrid Join in M365. You may be coming from a more traditional environment where all your devices (computers) are domain joined. You may have started with Azure AD Join by getting your mobile devices enrolled.

Now we have touched on the 3 types of enrollments in M365. Domain Joined (Entra Registered), Azure AD joined and now I am going to talk about Hybrid AD Joined. It is a neat little way to bring all your devices together eventually leading to a fully cloud implementation of your environment.

I will show two steps: One to get Hybrid Join set up on your network and two, how to manually join devices that won’t automatically join.

Configure Hybrid Join – Setup

Here are the prerequisites. It is a bit of a list but it will prevent a lot of headache in the long run:

Microsoft Entra Connect version 1.1.819.0 or later.

  • If the computer objects of the devices you want to be Microsoft Entra hybrid joined belong to specific organizational units (OUs), configure the correct OUs to sync in Microsoft Entra Connect. To learn more about how to sync computer objects by using Microsoft Entra Connect, see Organizational unit–based filtering.

Global Administrator credentials for your Microsoft Entra tenant.

Enterprise administrator credentials for each of the on-premises Active Directory Domain Services forests.

(For federated domains) At least Windows Server 2012 R2 with Active Directory Federation Services installed.

Users can register their devices with Microsoft Entra ID. More information about this setting can be found under the heading Configure device settings, in the article, Configure device settings.

Configure Hybrid Join Network connectivity Requirements

Microsoft Entra hybrid join requires devices to have access to the following Microsoft resources from inside your organization’s network:

  • (If you use or plan to use seamless SSO)
  • Your organization’s Security Token Service (STS) (For federated domains)

You are Probably Running Managed Domains

Most company’s have a managed domain from previous Windows server installations so this is the most common scenario. Microsoft Entra hybrid join with managed domains. Managed domains use password hash sync (PHS) or pass-through authentication (PTA) with seamless single sign-on. Managed domain scenarios don’t require configuring a federation server.

Configure Microsoft Entra hybrid join by using Microsoft Entra Connect for a managed domain:

  1. Start Microsoft Entra Connect, and then select Configure.
  2. In Additional tasks, select Configure device options, and then select Next.
  3. In Overview, select Next.
  4. In Connect to Microsoft Entra ID, enter the credentials of a Global Administrator for your Microsoft Entra tenant.
  5. In Device options, select Configure Microsoft Entra hybrid join, and then select Next.
  6. In Device operating systems, select the operating systems that devices in your Active Directory environment use, and then select Next.
  7. In SCP configuration, for each forest where you want Microsoft Entra Connect to configure the SCP, complete the following steps, and then select Next.
    1. Select the Forest.
    1. Select an Authentication Service.
    1. Select Add to enter the enterprise administrator credentials.
Configure Hybrid Join
  • In Ready to configure, select Configure.
  • In Configuration complete, select Exit.

Troubleshooting Configure Hybrid Join

Microsoft has some great articles on trouble shooting this setup. I will list them here:

Start by running the dsregcmd /status command, looking for the status of Hybrid join:

Configure Hybrid Join

If see Azure AD joined as a “No” you will need to investigate further in the event view for errors. Namely, The user registration log:

Use Event Viewer logs to locate the phase and error code for the join failures.

  1. In Event Viewer, open the User Device Registration event logs. They’re stored under Applications and Services Log > Microsoft > Windows > User Device Registration.
  2. Look for events with the following event IDs: 304, 305, and 307.
Configure Hybrid Join
Configure Hybrid Join

Please look at the links listed above for further troubleshooting.

Configure Hybrid Join a Windows Computer

You can manually configure working on the affected device. It is a few steps but your can Configure Hybrid Joinquickly.

Unregister the device from Azure AD

Follow this procedure:

  • On the machine to unregister, launch a Command Prompt as an administrator and type the following command:

dsregcmd /leave

  • Make sure the certificates issued by “MS-Organization-Access” and “MS-Organization-P2P-Access [xxxx]” have been deleted from the local machine Personal certificate store:
Configure Hybrid Join
  • Type the command dsregcmd /status in a Command Prompt, and make sure the following parameters have the appropriate values:

dsregcmd /status


| Device State                                                         |


AzureAdJoined : NO  <—–

EnterpriseJoined : NO

DomainJoined : YES  <—–

Re-register the device as a Hybrid Azure AD Join

Follow this procedure:

  • On the machine to re-register, run the Task Scheduler as an administrator.
Configure Hybrid Join
  • Go to Task Scheduler Library > Microsoft Windows Workplace Join and manually start the task “Automatic-Device-Join“.
Configure Hybrid Join
  • Make sure the certificates issued by “MS-Organization-Access” and “MS-Organization-P2P-Access [xxxx]” have been created in the local machine Personal certificate store:
Configure Hybrid Join
  • Type the command dsregcmd /status in a Command Prompt, and make sure the following parameters have the appropriate values:

dsregcmd /status


| Device State                                                         |


AzureAdJoined : YES  <—–

EnterpriseJoined : NO

DomainJoined : YES

  • Reboot the PC.
  • Start an Azure AD Connect delta synchronization.

If you follow these two steps you will configure Hybrid Join in no time!

Quick IT TIps!

Don’t miss these tips!

We don’t spam! Read our privacy policy for more info.

Avatar photo

I am an IT professional with over twenty years experience in the field. I have supported thousands of users over the years. The organizations I have worked for range in size from one person to hundreds of people. I have performed support from Help Desk, Network / Cloud Administration, Network Support, Application Support, Implementation and Security.

Pin It on Pinterest