Hybrid Azure AD Join - Not joining correctly

AngryDog

5/24/24, 12:06 PM

Another day, another Hybrid Azure AD Join issue.

Having set up Hybrid Join, it looked like it was working. The device I onboarded via autopilot was created in "on-prem" AD, was in Azure AD, but was listed as an Azure Registered device, rather than Hybrid Joined / Azure AD Joined.

As our on-prem AD Domain Controller is in a hosted DC, meaning we have no line of sight to, I then have to sign onto the laptop using local admin creds, connect to the VPN and then switch user, which then allows the user to sign on to the device.

Running dsregcmd /status showed that the device was joined to the on-prem domain, but not AzureAdJoined.

It listed an error of error_missing_device in the diagnostics. Running the Intune tasks from Task Scheduler > Microsoft > Windows > Workplace Join resolved this and also created a Hybrid Joined entry in Azure AD.

This doesn't feel right to me, but I am wondering if part of the reason is because there is no line of sight DC until after signing onto the device and joining the VPN - at that point the task has already run and "failed".

Is there a way around this? Or am I going to have to give up on Hybrid Azure Joined and go to Azure AD Joined and deal with the issues of devices accessing resources / servers in our on-prem domain?

Thanks.

121

1 + 0

active-directory

domain-controller

microsoft-intune

azure-active-directory

Score:1

Server

GarudaLead

7/15/24, 2:22 PM

You need line of sight to your DCs in order to use Autopilot to Hybrid join a device.

It is possible to do. You need to configure a Hybrid Join config profile within Intune, then you need to be able to connect to the VPN prior to a user log in in.

Microsoft Learn - Hbyrid Join device with Autopilot

We currently use Cisco AnyConnect and their Start Before Logon Module. Keep in mind, with Cisco specifically, they do not support Start Before Logon and MFA authentication.

I would evaluate your environment to evaluate the actual need of having devices Hybrid joined vs. just AAD joined. There are very few instances where an AD device object is needed for anything.

We have a hybrid domain enviornment and are moving all new devices to AAD joined only. All the domain services that are needed such as File Shares, Printing, etc are all user based not device based.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Hybrid Azure AD Join - Not joining correctly

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.