This is for you if you wish to Configure Hybrid Join in M365. You may be coming from a more traditional environment where all your devices (computers) are domain joined. You may have started with Azure AD Join by getting your mobile devices enrolled.
Now we have touched on the 3 types of enrollments in M365. Domain Joined (Entra Registered), Azure AD joined and now I am going to talk about Hybrid AD Joined. It is a neat little way to bring all your devices together eventually leading to a fully cloud implementation of your environment.
I will show two steps: One to get Hybrid Join set up on your network and two, how to manually join devices that won’t automatically join.
Configure Hybrid Join – Setup
Here are the prerequisites. It is a bit of a list but it will prevent a lot of headache in the long run:
Microsoft Entra Connect version 1.1.819.0 or later.
- Don’t exclude the default device attributes from your Microsoft Entra Connect Sync configuration. To learn more about default device attributes synced to Microsoft Entra ID, see Attributes synchronized by Microsoft Entra Connect.
- If the computer objects of the devices you want to be Microsoft Entra hybrid joined belong to specific organizational units (OUs), configure the correct OUs to sync in Microsoft Entra Connect. To learn more about how to sync computer objects by using Microsoft Entra Connect, see Organizational unit–based filtering.
Global Administrator credentials for your Microsoft Entra tenant.
Enterprise administrator credentials for each of the on-premises Active Directory Domain Services forests.
(For federated domains) At least Windows Server 2012 R2 with Active Directory Federation Services installed.
Users can register their devices with Microsoft Entra ID. More information about this setting can be found under the heading Configure device settings, in the article, Configure device settings.
Configure Hybrid Join Network connectivity Requirements
Microsoft Entra hybrid join requires devices to have access to the following Microsoft resources from inside your organization’s network:
https://enterpriseregistration.windows.net
https://login.microsoftonline.com
https://device.login.microsoftonline.com
https://autologon.microsoftazuread-sso.com
(If you use or plan to use seamless SSO)- Your organization’s Security Token Service (STS) (For federated domains)
You are Probably Running Managed Domains
Most company’s have a managed domain from previous Windows server installations so this is the most common scenario. Microsoft Entra hybrid join with managed domains. Managed domains use password hash sync (PHS) or pass-through authentication (PTA) with seamless single sign-on. Managed domain scenarios don’t require configuring a federation server.
Configure Microsoft Entra hybrid join by using Microsoft Entra Connect for a managed domain:
- Start Microsoft Entra Connect, and then select Configure.
- In Additional tasks, select Configure device options, and then select Next.
- In Overview, select Next.
- In Connect to Microsoft Entra ID, enter the credentials of a Global Administrator for your Microsoft Entra tenant.
- In Device options, select Configure Microsoft Entra hybrid join, and then select Next.
- In Device operating systems, select the operating systems that devices in your Active Directory environment use, and then select Next.
- In SCP configuration, for each forest where you want Microsoft Entra Connect to configure the SCP, complete the following steps, and then select Next.
- Select the Forest.
- Select an Authentication Service.
- Select Add to enter the enterprise administrator credentials.
- In Ready to configure, select Configure.
- In Configuration complete, select Exit.
Troubleshooting Configure Hybrid Join
Microsoft has some great articles on trouble shooting this setup. I will list them here:
- Troubleshooting devices using dsregcmd command
- Troubleshoot Microsoft Entra hybrid join for Windows current devices
- Troubleshoot Microsoft Entra hybrid join for Windows downlevel devices
- Troubleshoot pending device state
Start by running the dsregcmd /
status
command, looking for the status of Hybrid join:
If see Azure AD joined as a “No” you will need to investigate further in the event view for errors. Namely, The user registration log:
Use Event Viewer logs to locate the phase and error code for the join failures.
- In Event Viewer, open the User Device Registration event logs. They’re stored under Applications and Services Log > Microsoft > Windows > User Device Registration.
- Look for events with the following event IDs: 304, 305, and 307.
Please look at the links listed above for further troubleshooting.
Configure Hybrid Join a Windows Computer
You can manually configure working on the affected device. It is a few steps but your can Configure Hybrid Joinquickly.
Unregister the device from Azure AD
Follow this procedure:
- On the machine to unregister, launch a Command Prompt as an administrator and type the following command:
dsregcmd /leave
- Make sure the certificates issued by “MS-Organization-Access” and “MS-Organization-P2P-Access [xxxx]” have been deleted from the local machine Personal certificate store:
- Type the command dsregcmd /status in a Command Prompt, and make sure the following parameters have the appropriate values:
dsregcmd /status
+———————————————————————-+
| Device State |
+———————————————————————-+
AzureAdJoined : NO <—–
EnterpriseJoined : NO
DomainJoined : YES <—–
Re-register the device as a Hybrid Azure AD Join
Follow this procedure:
- On the machine to re-register, run the Task Scheduler as an administrator.
- Go to Task Scheduler Library > Microsoft > Windows > Workplace Join and manually start the task “Automatic-Device-Join“.
- Make sure the certificates issued by “MS-Organization-Access” and “MS-Organization-P2P-Access [xxxx]” have been created in the local machine Personal certificate store:
- Type the command dsregcmd /status in a Command Prompt, and make sure the following parameters have the appropriate values:
dsregcmd /status
+———————————————————————-+
| Device State |
+———————————————————————-+
AzureAdJoined : YES <—–
EnterpriseJoined : NO
DomainJoined : YES
- Reboot the PC.
- Start an Azure AD Connect delta synchronization.
If you follow these two steps you will configure Hybrid Join in no time!