Close Menu
    Facebook X (Twitter) Instagram
    Sunday, May 11
    X (Twitter) LinkedIn
    All about Endpoint Management
    • Home
    All about Endpoint Management
    Home»Intune»Azure Active Directory»How to configure Hybrid Azure AD Join without ADFS for Office 365 and Co-Management Activities– Part 2

    How to configure Hybrid Azure AD Join without ADFS for Office 365 and Co-Management Activities– Part 2

    Eswar KonetiBy Eswar KonetiSeptember 12, 9:17 am6 Mins Read Azure Active Directory 9,207 Views
    Share
    Facebook Twitter LinkedIn Reddit

     

    In part 1 of this series on setup hybrid Azure AD Join without ADFS , we talked about Hybrid Azure AD ,prerequisites on how to configure device options.

    In part 2 of this series in post ,we will see how to configure 2nd prerequisite i.e enable Seamless Single Sign ON through Azure AD Connect that would complete the steps required devices to be Hybrid Azure AD join.

    Azure Active Directory (Azure AD) Seamless Single Sign-On (Seamless SSO) will automatically signs in users when they are on their corporate desktops that are connected to your corporate network.

    Seamless SSO provides your users with easy access to your cloud-based applications without needing any additional on-premises components.

    Run Azure AD connect again and this time ,On the additional tasks ,choose change user sign-in

    image_thumb[45]

    On the Connect to Azure AD page, enter the credentials of a global administrator for your Azure AD tenant.

    image_thumb[25]

    On the user sign-in page ,choose  Enable single sign-on (leave the rest of the options default) and click Next

    image_thumb[24]

    You will be prompted to enter domain admin credentials and will show tick mark in green color

    image_thumb[23]

    On the Ready to Configure ,click Configure

    image_thumb[22]

    You will see configuration complete.

    image_thumb[31]

    Once you exit  ,go to your active Directory users and computers ,in computers OU ,you will see computer object created with name AZUREADSSOACC in each AD forest.

    Seamless SSO creates a computer account named AZUREADSSOACC (which represents Azure AD) in your on-premises Active Directory (AD) in each AD forest. This computer account is needed for the feature to work. Move the AZUREADSSOACC computer account to an Organization Unit (OU) where other computer accounts are stored to ensure that it is managed in the same way and is not deleted.

    Follow these instructions to verify that you have enabled Seamless SSO correctly:

    1. Sign in to the Azure Active Directory administrative center with the global administrator credentials for your tenant.
    2. Select Azure Active Directory in the left pane.
    3. Select Azure AD Connect.
    4. Verify that the Seamless single sign-on feature appears as Enabled.

    image_thumb[30]

    Since we have windows 7 devices in domain, we need make some changes in Azure AD to allow  Windows down-level devices registered.

    In the Azure portal, you can find this setting under:

    Azure Active Directory > Devices > Device settings

    The following policy must be set to All: Users may register their devices with Azure AD

    image_thumb[28]

    Configure the local intranet settings for device registration

    To successfully complete hybrid Azure AD join of your Windows down-level devices (windows 7) , and to avoid certificate prompts when devices authenticate authenticate to Azure AD you can push a policy to your domain-joined devices to add the following URLs to the Local Intranet zone in Internet Explorer:

    • https://device.login.microsoftonline.com
    • https://autologon.microsoftazuread-sso.com.

    With this ,we completed the setup for Hybrid Azure AD join.

    End user results:

    On Windows 7:

    Now we will test hybrid Azure AD join on both windows 10 and windows 7.

    For windows 7 ,to do hybrid Azure AD join ,you need Microsoft workplace join which you can download from https://www.microsoft.com/en-us/download/details.aspx?id=53554 .

    This small utility can be deployed from SCCM or you can install manually .

    Install the workplace join ,once it is installed ,task schedule is created and it runs every time user login to the PC.

    For now ,open cmd ,change the directory to “C:\Program Files\Microsoft Workplace Join”

    Run AutoWorkplace.exe /i

    It will take few sec to find the DRS service and get the device registered in Azure AD . Following screen show ,hybrid Azure AD join successful .

    If you go to Azure AD portal ,under devices, you will see this device listed there.

    image

    If you hit any issues here ,try to look at event viewer for error  Log Name: Microsoft-Workplace Join/Admin

    If hybrid Azure AD join is successful then you will see following entry with event ID: 201

    Workplace join operation succeeded. Activity Id: 00000000-0000-0000-0000-000000000000
    Registration Service URI: https://enterpriseregistration.windows.net/EnrollmentServer/DeviceEnrollmentWebService.svc

    image

    I have a blog on troubleshooting workplace join issues http://eskonr.com/2018/06/office-365-connectivity-issues-an-error-occurred-when-trying-to-join-your-device-to-your-organisation-workplace/ and http://eskonr.com/2018/06/workplace-join-hybrid-azure-ad-join-for-windows-failed-with-error-code-unknown/

    Windows 10:

    For windows 10 ,there is no workplace join or any other tool available for hybrid Azure AD join ,it is inbuilt to windows 10.

    If you have any proxy to connect to internet on these windows 10 devices ,you should have startup script with the proxy configuration as hybrid azure AD join run with system account during the computer startup.

    Below is the simple batch script that can be configured through GPO as startup script .

    netsh winhttp set Proxy <your proxy server IP>:8080 bypass-list="*.apac.eskonr.com,*.group.local"

    When you configure the proxy ,make sure you can telnet to the port from windows 10 device else hybrid Azure AD join wont work.

    If you do not have any proxy like me in my lab ,just reboot windows 10 device .

    After you reboot windows 10 ,open cmd ,type dsregcmd /status

    If the hybrid Azure AD join is successful ,you will see results like below with AzureADJoin=Yes

    image

    If you do not see the above results then troubleshooting is required.

    How do we troubleshoot and what the logs ?

    Check the logs in event viewer:

    Microsoft->Windows->User Device Registration/Admin

    Before the Windows 10 Device Reboot:

    Automatic registration failed at join phase.  Exit code: Unknown HResult Error code: 0x80072ee7. Server error: empty. Debug Output:\r\n joinMode: Join
    drsInstance: azure
    registrationType: sync
    tenantType: managed
    tenantId: 3992590e-6f9b-4aa1-aa9f-d7717c111b07
    configLocation: undefined
    errorPhase: join
    adalCorrelationId: undefined
    adalLog:
    undefined
    adalResponseCode: 0x0

    image

    After the Win10 device reboot ,here is the status:

    Windows Hello for Business provisioning will be launched.
    Device is AAD joined ( AADJ or DJ++ ): Yes
    User has logged on with AAD credentials: Yes
    Windows Hello for Business policy is enabled: Yes
    Local computer meets Windows hello for business hardware requirements: Yes
    User is not connected to the machine via Remote Desktop: Yes
    User certificate for on premise auth policy is enabled: No
    Machine is governed by none policy.
    See
    https://go.microsoft.com/fwlink/?linkid=832647 for more details.

    image

    If you are using proxy and still have issues,you will have to install network monitor tool (Microsoft) and fiddler to trace what's going on. This is more of advanced troubleshooting and am not covering it here.

    If you go back to Azure AD portal ,Click on Azure Active Directory –>Devices ,on all Devices ,you will see Join Type ‘Hybrid Azure AD Join’

    image

    Once you have this completed, you can start playing with Conditional Access policies with access control ‘Require Hybrid Azure AD Joined Device’ as shown below.

    image

    Hope you enjoyed reading the guides on how to setup Hybrid Azure AD join without ADFS.

    You are now good start configuring Co-management in Configmgr 1710 and above. For more information on Co-management ,please refer https://docs.microsoft.com/en-us/sccm/core/clients/manage/co-management-overview

    Reference guides:

    https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-managed-domains

    https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso-quick-start

    https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso-faq

    AADJ Azure AD Connect Azure AD join Change user Sign-in co-management Configure device options device registration DJ++ domain joined dsregcmd Hybrid hybrid azure AD join managed domains non-federated office 365 Password Hash Sync SCP Seamless Single Sign On windows download level
    Share. Twitter LinkedIn Email Facebook Reddit

    Related Posts

    Optimize Your Intune Workflow with a Powerful Browser Extension

    March 22, 10:39 am

    Troubleshooting Windows Hello for Business PIN Reset Issues – Something went wrong

    March 06, 9:48 pm

    Migrate Microsoft 365 Updates from SCCM/MECM to Intune for Co-Managed Devices

    February 11, 9:50 pm

    8 Comments

    1. Ramesh s on September 6, 2019 11:03 AM

      Hi bro i want join only some of the devices in my OU to azure but sadly all the devices in that OU joining to Hybrid azure AD even after GPO applied. how to resolve this one? could you please help out on this?

      Reply
      • Eswar Koneti on September 6, 2019 6:12 PM

        Hi ramesh,
        You can run azure ad connect tool and choose the ou that you want to sync the devices to azure ad and also make sure the gpo configuration for device registration is applied to specific OU.

        Hope it helps

        Thanks
        Eswar

        Reply
    2. Thomas Gossweiler on November 28, 2018 6:35 PM

      I like to run with a Batch file is this possible?

      (C:\Program Files\Microsoft Workplace Join)

      Reply
      • Eswar Koneti on December 19, 2018 12:04 AM

        Why do you need to run batch file ? you can create a simple batch script with "C:\Program Files\Microsoft Workplace Join\autworkplace.exe /i" to run it

        Thanks,
        Eswar

        Reply
    3. John P on November 10, 2018 12:56 AM

      Hi Eswar, thanks for your post on this subject. Getting into to details of how the Hybrid-Join process works is very helpful!

      We have a Proxy server and if we give all desktops / laptops no-auth access through the proxy will be a significant challenge in my environment - probably will get denied.

      In a managed tenant we've seen that we just need to add a value (any value) in the devices userCertificate attribute and it will sync and be hybrid joined without the SCP. I do see in the event User Device Registration that the device is still trying to register at any user login from the workplace joined scheduled task.

      Do you know if applying an certificate on our devices from our on-premise CA is an acceptable / supported way to have devices hybrid-joined? This would allow us to avoid the issue having devices with no-auth proxy access.

      Reply
      • Eswar Koneti on January 27, 2019 10:18 PM

        Hi John,
        It doesnt need any certs however if you are running on this on windows 10 then you need to look at the proxy to be applied for system account .Hybrid azure AD join for windows 10 happens using system account during system reboot.
        Here is some info from technet https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-federated-domains

        The configuration steps in this article are based on this wizard. If you have an older version of Azure AD Connect installed, you need upgrade it to 1.1.819 or higher. If installing the latest version of Azure AD Connect is not an option for you, see how to manually configure device registration.

        Hybrid Azure AD join requires the devices to have access to the following Microsoft resources from inside your organization's network:

        https://enterpriseregistration.windows.net
        https://login.microsoftonline.com
        https://device.login.microsoftonline.com
        Your organization's STS (federated domains)
        https://autologon.microsoftazuread-sso.com (If you are using or planning to use Seamless SSO)
        Beginning with Windows 10 1803, if the instantaneous Hybrid Azure AD join for federated domain like AD FS fails, we rely on Azure AD Connect to sync the computer object in Azure AD that is subsequently used to complete the device registration for Hybrid Azure AD join.

        If your organization requires access to the internet via an outbound proxy, starting with Windows 10 1709, you can configure proxy settings on your computer using a group policy object (GPO). If your computer is running a version earlier than Windows 10 1709, you must implement Web Proxy Auto-Discovery (WPAD) to enable Windows 10 computers to do device registration with Azure AD.

        If your organization requires access to the Internet via an authenticated outbound proxy, you must make sure that your Windows 10 computers can successfully authenticate to the outbound proxy. Because Windows 10 computers run device registration using machine context, it is necessary to configure outbound proxy authentication using machine context. Follow up with your outbound proxy provider on the configuration requirements.

        Reply
    4. Paulo on September 21, 2018 2:31 AM

      Hi Eswar,
      Congratulations for your post.
      All your tips helped me a lot!
      I just have a doubt about all the process.
      What happens with some devices that associate a user and the other do not associate any user.
      It's possible to see it this image in your tutorial:
      https://i2.wp.com/eskonr.com/wp-content/uploads/2018/09/image-23.png

      If i'm using an compliance police associate with the user name and some condicional access rule, it will doesn't work because of it.
      What I can do to solve this issue ?

      Thanks again for your tutorial!!!!

      Reply
      • Eswar Koneti on September 30, 2018 10:51 PM

        Hi Paulo,
        Thank you and glad it helped you. For windows 7, user (Owner) must be associated with the computer else hybrid azure AD join will not allow .For windows 10 ,it will not show the user name that are hybrid Azure AD Join which is limitation i believe but as long as the device shows in hybrid azure AD join then it must work .
        if you have conditional access policies assigned to user , device must qualify before it can access office 365 resources . If user have any issues then you must run the device compliance reports identify what is the issue.

        Thanks,
        Eswar

        Reply

    Leave a ReplyCancel reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    Sign Up

    Get email notifications for new posts.

    Author

    I’m Eswar Koneti ,a tech enthusiast, security advocate, and your guide to Microsoft Intune and Modern Device Management. My goal? To turn complex tech into actionable insights for a streamlined management experience. Let’s navigate this journey together!

    Support

    Awards

    Archives

    © Copyright 2009-2024 Eswar Koneti, All rights reserved.

    Type above and press Enter to search. Press Esc to cancel.