6 Responses to "How to configure Hybrid Azure AD Join without ADFS for Office 365 and Co-Management Activities– Part 2"

    1. Why do you need to run batch file ? you can create a simple batch script with "C:\Program Files\Microsoft Workplace Join\autworkplace.exe /i" to run it

      Thanks,
      Eswar

      Reply
  1. Hi Eswar, thanks for your post on this subject. Getting into to details of how the Hybrid-Join process works is very helpful!

    We have a Proxy server and if we give all desktops / laptops no-auth access through the proxy will be a significant challenge in my environment - probably will get denied.

    In a managed tenant we've seen that we just need to add a value (any value) in the devices userCertificate attribute and it will sync and be hybrid joined without the SCP. I do see in the event User Device Registration that the device is still trying to register at any user login from the workplace joined scheduled task.

    Do you know if applying an certificate on our devices from our on-premise CA is an acceptable / supported way to have devices hybrid-joined? This would allow us to avoid the issue having devices with no-auth proxy access.

    Reply
    1. Hi John,
      It doesnt need any certs however if you are running on this on windows 10 then you need to look at the proxy to be applied for system account .Hybrid azure AD join for windows 10 happens using system account during system reboot.
      Here is some info from technet https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-federated-domains

      The configuration steps in this article are based on this wizard. If you have an older version of Azure AD Connect installed, you need upgrade it to 1.1.819 or higher. If installing the latest version of Azure AD Connect is not an option for you, see how to manually configure device registration.

      Hybrid Azure AD join requires the devices to have access to the following Microsoft resources from inside your organization's network:

      https://enterpriseregistration.windows.net
      https://login.microsoftonline.com
      https://device.login.microsoftonline.com
      Your organization's STS (federated domains)
      https://autologon.microsoftazuread-sso.com (If you are using or planning to use Seamless SSO)
      Beginning with Windows 10 1803, if the instantaneous Hybrid Azure AD join for federated domain like AD FS fails, we rely on Azure AD Connect to sync the computer object in Azure AD that is subsequently used to complete the device registration for Hybrid Azure AD join.

      If your organization requires access to the internet via an outbound proxy, starting with Windows 10 1709, you can configure proxy settings on your computer using a group policy object (GPO). If your computer is running a version earlier than Windows 10 1709, you must implement Web Proxy Auto-Discovery (WPAD) to enable Windows 10 computers to do device registration with Azure AD.

      If your organization requires access to the Internet via an authenticated outbound proxy, you must make sure that your Windows 10 computers can successfully authenticate to the outbound proxy. Because Windows 10 computers run device registration using machine context, it is necessary to configure outbound proxy authentication using machine context. Follow up with your outbound proxy provider on the configuration requirements.

      Reply
  2. Hi Eswar,
    Congratulations for your post.
    All your tips helped me a lot!
    I just have a doubt about all the process.
    What happens with some devices that associate a user and the other do not associate any user.
    It's possible to see it this image in your tutorial:
    https://i2.wp.com/eskonr.com/wp-content/uploads/2018/09/image-23.png

    If i'm using an compliance police associate with the user name and some condicional access rule, it will doesn't work because of it.
    What I can do to solve this issue ?

    Thanks again for your tutorial!!!!

    Reply
    1. Hi Paulo,
      Thank you and glad it helped you. For windows 7, user (Owner) must be associated with the computer else hybrid azure AD join will not allow .For windows 10 ,it will not show the user name that are hybrid Azure AD Join which is limitation i believe but as long as the device shows in hybrid azure AD join then it must work .
      if you have conditional access policies assigned to user , device must qualify before it can access office 365 resources . If user have any issues then you must run the device compliance reports identify what is the issue.

      Thanks,
      Eswar

      Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.