In part 1 of this series on setup hybrid Azure AD Join without ADFS , we talked about Hybrid Azure AD ,prerequisites on how to configure device options.
In part 2 of this series in post ,we will see how to configure 2nd prerequisite i.e enable Seamless Single Sign ON through Azure AD Connect that would complete the steps required devices to be Hybrid Azure AD join.
Azure Active Directory (Azure AD) Seamless Single Sign-On (Seamless SSO) will automatically signs in users when they are on their corporate desktops that are connected to your corporate network.
Seamless SSO provides your users with easy access to your cloud-based applications without needing any additional on-premises components.
Run Azure AD connect again and this time ,On the additional tasks ,choose change user sign-in
On the Connect to Azure AD page, enter the credentials of a global administrator for your Azure AD tenant.
On the user sign-in page ,choose Enable single sign-on (leave the rest of the options default) and click Next
You will be prompted to enter domain admin credentials and will show tick mark in green color
On the Ready to Configure ,click Configure
You will see configuration complete.
Once you exit ,go to your active Directory users and computers ,in computers OU ,you will see computer object created with name AZUREADSSOACC in each AD forest.
Seamless SSO creates a computer account named
AZUREADSSOACC (which represents Azure AD) in your on-premises Active Directory (AD) in each AD forest. This computer account is needed for the feature to work. Move the
AZUREADSSOACC computer account to an Organization Unit (OU) where other computer accounts are stored to ensure that it is managed in the same way and is not deleted.
Follow these instructions to verify that you have enabled Seamless SSO correctly:
- Sign in to the Azure Active Directory administrative center with the global administrator credentials for your tenant.
- Select Azure Active Directory in the left pane.
- Select Azure AD Connect.
- Verify that the Seamless single sign-on feature appears as Enabled.
Since we have windows 7 devices in domain, we need make some changes in Azure AD to allow Windows down-level devices registered.
In the Azure portal, you can find this setting under:
Azure Active Directory > Devices > Device settings
The following policy must be set to All: Users may register their devices with Azure AD
Configure the local intranet settings for device registration
To successfully complete hybrid Azure AD join of your Windows down-level devices (windows 7) , and to avoid certificate prompts when devices authenticate authenticate to Azure AD you can push a policy to your domain-joined devices to add the following URLs to the Local Intranet zone in Internet Explorer:
With this ,we completed the setup for Hybrid Azure AD join.
End user results:
On Windows 7:
Now we will test hybrid Azure AD join on both windows 10 and windows 7.
For windows 7 ,to do hybrid Azure AD join ,you need Microsoft workplace join which you can download from https://www.microsoft.com/en-us/download/details.aspx?id=53554 .
This small utility can be deployed from SCCM or you can install manually .
Install the workplace join ,once it is installed ,task schedule is created and it runs every time user login to the PC.
For now ,open cmd ,change the directory to “C:\Program Files\Microsoft Workplace Join”
Run AutoWorkplace.exe /i
It will take few sec to find the DRS service and get the device registered in Azure AD . Following screen show ,hybrid Azure AD join successful .
If you go to Azure AD portal ,under devices, you will see this device listed there.
If you hit any issues here ,try to look at event viewer for error Log Name: Microsoft-Workplace Join/Admin
If hybrid Azure AD join is successful then you will see following entry with event ID: 201
Workplace join operation succeeded. Activity Id: 00000000-0000-0000-0000-000000000000
Registration Service URI: https://enterpriseregistration.windows.net/EnrollmentServer/DeviceEnrollmentWebService.svc
I have a blog on troubleshooting workplace join issues http://eskonr.com/2018/06/office-365-connectivity-issues-an-error-occurred-when-trying-to-join-your-device-to-your-organisation-workplace/ and http://eskonr.com/2018/06/workplace-join-hybrid-azure-ad-join-for-windows-failed-with-error-code-unknown/
For windows 10 ,there is no workplace join or any other tool available for hybrid Azure AD join ,it is inbuilt to windows 10.
If you have any proxy to connect to internet on these windows 10 devices ,you should have startup script with the proxy configuration as hybrid azure AD join run with system account during the computer startup.
Below is the simple batch script that can be configured through GPO as startup script .
netsh winhttp set Proxy <your proxy server IP>:8080 bypass-list="*.apac.eskonr.com,*.group.local"
When you configure the proxy ,make sure you can telnet to the port from windows 10 device else hybrid Azure AD join wont work.
If you do not have any proxy like me in my lab ,just reboot windows 10 device .
After you reboot windows 10 ,open cmd ,type dsregcmd /status
If the hybrid Azure AD join is successful ,you will see results like below with AzureADJoin=Yes
If you do not see the above results then troubleshooting is required.
How do we troubleshoot and what the logs ?
Check the logs in event viewer:
Microsoft->Windows->User Device Registration/Admin
Before the Windows 10 Device Reboot:
Automatic registration failed at join phase. Exit code: Unknown HResult Error code: 0x80072ee7. Server error: empty. Debug Output:\r\n joinMode: Join
After the Win10 device reboot ,here is the status:
Windows Hello for Business provisioning will be launched.
Device is AAD joined ( AADJ or DJ++ ): Yes
User has logged on with AAD credentials: Yes
Windows Hello for Business policy is enabled: Yes
Local computer meets Windows hello for business hardware requirements: Yes
User is not connected to the machine via Remote Desktop: Yes
User certificate for on premise auth policy is enabled: No
Machine is governed by none policy.
See https://go.microsoft.com/fwlink/?linkid=832647 for more details.
If you are using proxy and still have issues,you will have to install network monitor tool (Microsoft) and fiddler to trace what's going on. This is more of advanced troubleshooting and am not covering it here.
If you go back to Azure AD portal ,Click on Azure Active Directory –>Devices ,on all Devices ,you will see Join Type ‘Hybrid Azure AD Join’
Once you have this completed, you can start playing with Conditional Access policies with access control ‘Require Hybrid Azure AD Joined Device’ as shown below.
Hope you enjoyed reading the guides on how to setup Hybrid Azure AD join without ADFS.
You are now good start configuring Co-management in Configmgr 1710 and above. For more information on Co-management ,please refer https://docs.microsoft.com/en-us/sccm/core/clients/manage/co-management-overview
Hi bro i want join only some of the devices in my OU to azure but sadly all the devices in that OU joining to Hybrid azure AD even after GPO applied. how to resolve this one? could you please help out on this?
You can run azure ad connect tool and choose the ou that you want to sync the devices to azure ad and also make sure the gpo configuration for device registration is applied to specific OU.
Hope it helps
I like to run with a Batch file is this possible?
(C:\Program Files\Microsoft Workplace Join)
Why do you need to run batch file ? you can create a simple batch script with "C:\Program Files\Microsoft Workplace Join\autworkplace.exe /i" to run it
Hi Eswar, thanks for your post on this subject. Getting into to details of how the Hybrid-Join process works is very helpful!
We have a Proxy server and if we give all desktops / laptops no-auth access through the proxy will be a significant challenge in my environment - probably will get denied.
In a managed tenant we've seen that we just need to add a value (any value) in the devices userCertificate attribute and it will sync and be hybrid joined without the SCP. I do see in the event User Device Registration that the device is still trying to register at any user login from the workplace joined scheduled task.
Do you know if applying an certificate on our devices from our on-premise CA is an acceptable / supported way to have devices hybrid-joined? This would allow us to avoid the issue having devices with no-auth proxy access.
It doesnt need any certs however if you are running on this on windows 10 then you need to look at the proxy to be applied for system account .Hybrid azure AD join for windows 10 happens using system account during system reboot.
Here is some info from technet https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-federated-domains
The configuration steps in this article are based on this wizard. If you have an older version of Azure AD Connect installed, you need upgrade it to 1.1.819 or higher. If installing the latest version of Azure AD Connect is not an option for you, see how to manually configure device registration.
Hybrid Azure AD join requires the devices to have access to the following Microsoft resources from inside your organization's network:
Your organization's STS (federated domains)
https://autologon.microsoftazuread-sso.com (If you are using or planning to use Seamless SSO)
Beginning with Windows 10 1803, if the instantaneous Hybrid Azure AD join for federated domain like AD FS fails, we rely on Azure AD Connect to sync the computer object in Azure AD that is subsequently used to complete the device registration for Hybrid Azure AD join.
If your organization requires access to the internet via an outbound proxy, starting with Windows 10 1709, you can configure proxy settings on your computer using a group policy object (GPO). If your computer is running a version earlier than Windows 10 1709, you must implement Web Proxy Auto-Discovery (WPAD) to enable Windows 10 computers to do device registration with Azure AD.
If your organization requires access to the Internet via an authenticated outbound proxy, you must make sure that your Windows 10 computers can successfully authenticate to the outbound proxy. Because Windows 10 computers run device registration using machine context, it is necessary to configure outbound proxy authentication using machine context. Follow up with your outbound proxy provider on the configuration requirements.
Congratulations for your post.
All your tips helped me a lot!
I just have a doubt about all the process.
What happens with some devices that associate a user and the other do not associate any user.
It's possible to see it this image in your tutorial:
If i'm using an compliance police associate with the user name and some condicional access rule, it will doesn't work because of it.
What I can do to solve this issue ?
Thanks again for your tutorial!!!!
Thank you and glad it helped you. For windows 7, user (Owner) must be associated with the computer else hybrid azure AD join will not allow .For windows 10 ,it will not show the user name that are hybrid Azure AD Join which is limitation i believe but as long as the device shows in hybrid azure AD join then it must work .
if you have conditional access policies assigned to user , device must qualify before it can access office 365 resources . If user have any issues then you must run the device compliance reports identify what is the issue.