Hybrid Azure AD Joined Devices

To take advantage of all modern features provided by Cloud Management (Azure Information Protection, Intune, Conditional Access), devices must be joined in Azure Active Directory. When devices are joined to both Azure Active Directory and Active Directory on Premises, we define them as Hybrid Azure AD Joined Devices.
This Hybrid configuration, permit a smooth transition from traditional on Premises management to Cloud Management with Microsoft Intune.
Not everyone are aware that it’s possible to Hybrid Join also Windows 7 and Windows 8.1 clients if you are using Azure AD Connect in “Password Hash Sync” mode.

Another great advantage of Hybrid Azure AD Joined Devices with “Password Hash Sync” is an improvement in the Seamless Single Sign-On experience. Devices that can’t reach On Premises Domain Controllers are able to perform a Seamless SSO with Office365 Apps. There is no password prompt from your 4G mobile connection, when you access your Cloud Apps.

The first step to perform is the creation of a Service Connection Point in the configuration partition of your Active Directory. With this SCP in place, all your devices Windows 10 (version 1607 or greater) are already able to perform the join to your tenant. If you have a multi forest environment you should create one SCP in each forest.

You also need to ensure your Azure AD Connect is syncing also Computer Objects. Check selected OU.

Add the following URLs in “local intranet” zone with a GPO:
○ https://autologon.microsoftazuread-sso.com
○ https://aadg.windows.net.nsatc.net

Also ensure your clients can reach the following URLs:
○ https://enterpriseregistration.windows.net
○ https://login.microsoftonline.com
○ https://device.login.microsoftonline.com

To join down-level computers (Windows 7, Windows 8.0, Windows 8.1, Windows 2008 R2, Windows 2012, Windows 2012 R2), you must install the package “Microsoft Workplace Join for non-Windows 10 computers” available here https://www.microsoft.com/en-us/download/details.aspx?id=53554

Ensure the policy in your Azure AD permit device registration to All users. The registration is performed during the logon process of the users.

In the link bellow you can see the technical bases of our article published by Microsoft.


Thank you very much for reading and I hope it was of your interest.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.