Recently Microsoft has taken Azure Hybrid Domain Join out of preview, so it is now a fully supported technology. What is Azure Hybrid Domain Join? Traditionally IT Administrators could either join their devices into their local Active Directory Domain or join them to Azure AD but not both. Each connection type has its own advantages, but they could not be combined. Now you can have both.
Azure AD Hybrid allows Active Directory Domain Joined devices to also join your Azure AD tenant. This allows you to use Seamless SSO, Intune, Windows Hello, MDM, MFA, and other Azure offerings on your company AD joined devices.
Your devices will need to be running Windows 10 for the best feature set, however Windows 8/8.1 are also supported (referred to as down-level devices)
So let’s get started.
Configuring Azure AD Connect
The first thing you’ll need to do is configure your existing Azure AD connect to enable Azure AD Hybrid.
- Start the Azure AD Connect wizard and click Configure
- At the Additional Task page, click Configure Device Options, then click Next.
- At the Overview page, click Next.
- At the Connect to Azure AD page, enter your global administrator credentials for your Azure AD Tenant.
- At the Device Options page, select Configure Hybrid Azure AD join, then click Next.
- On the SCP Configuration page, for each forest where you want Azure AD Connect to configure the SCP, complete the following steps, and then select Next.
Note: If you don’t have enterprise admin rights, you can download the PowerShell script to perform this task.
- At the Device Operating Systems page, select the operating systems you are using. Windows 8/8.1 are considered downlevel domain-joined devices.
- At the Ready to Configure page, click Configure.
- Next, at the Configuration Complete page, select Exit.
Note: If your current AD Sync is not syncing your AD device accounts, you will need to also reconfigure your AD Connect to sync any OU that contains computer accounts. Azure AD Hybrid join uses this information to determine if your devices will be allowed to perform the Azure AD Hybrid join.
Configure for Windows downlevel devices
If some of your domain-joined devices are Windows downlevel devices, you must
- Configure the local intranet settings for device registration
- Configure seamless SSO
- Install Microsoft Workplace Join for Windows downlevel computers
In order to get your downlevel devices to join, you will have to create or modify an existing GPO to add the following URLs to the local intranet zone in Internet Explorer:
- https://device.login.microsoftonline.com
- https://autologon.microsoftazuread-sso.com
You also must enable Allow updates to status bar via script in the user’s local intranet zone.
Your GPO should end up looking similar to this:
Configure Windows 10 Devices
To get your Windows 10 Devices to Azure AD Hybrid join, you’ll need another GPO setting, which could be combined in the GPO for the downlevel devices. You will need to enable “register domain-joined computers as devices” This setting is in Computer Configuration > Policies > Administrative Templates > Windows Components > Device Registration.
Finally a quick test from the command line will verify if this worked. Type ‘dsregcmd /status’ and the first line should tell you very quickly:
And that’s it! If you need more detail, Microsoft has excellent documentation on the process to help you along.
Tutorial: Configure Hybrid Azure AD Join for Managed Domains
Tutorial: Configure Joined Devices Manually
Hybrid Azure AD joined devices
Joe Hanning, Sr. Infrastructure Engineer