Introduction:
About a week ago ,I was exploring Co-Management and Office 365 in my lab .To test Co-Management for any domain joined devices ,we need to have Hybrid Azure AD Join else we cannot manage domain joined devices using intune and Configmgr.
We would also like to explore Conditional access policy that will help block non-domain joined windows 7 devices connecting to the test o365 environment. So to test Co-Management or Conditional access policy ,we would need hybrid Azure AD join working.
Hybrid Azure AD (AAD+) join means, computer must be joined to on-prem domain and Azure AD domain . You can read more about it here.
Hybrid Azure AD join ensure that your users are accessing your resources from devices that meet your standards for security and compliance.
With the help of conditional access, we can apply control to allow hybrid azure AD joined device (domain joined PCs) or compliant devices (windows 10 only) to connect to my office 365.
If you do not use conditional access (hybrid Azure AD Join or Compliant) , there is no way for you to block non-domain joined windows 7 devices (you will have DLP issues) from connecting to office 365 to access services. So conditional access is must to block non-domain joined windows 7 devices .
In simple terms, you can allow devices with following identity to connect to office 365.
- Azure AD join (join the computer directly to azure AD)
- Hybrid Azure AD join (On-prem domain+ Azure AD )
- Azure AD registration (Enrollment)
To setup Hybrid azure AD join ,you can either achieve it via managed domain (No ADFS) or federated domain (ADFS). In the production domain we had ADFS configured and hence we had no issues working with Hybrid Azure AD join. However, we wanted to try non-federated domain and see what changes are required to make it work. This turned out to be quite interesting.
Since we have on-prem domain controller without federation and SCCM 1802 in the lab ,we would like to explore Conditional access and co-management features and more on this.
If your environment has managed domains (No federated) like my lab , hybrid Azure AD join supports with following options:
- Pass Through Authentication (PTA) with Seamless Single Sign On (SSO)
- Password Hash Sync (PHS) with Seamless Single Sign On (SSO)
I choose the 2nd option to sync passwords to Azure AD with seamless single sign on (SSO).
Beginning with version 1.1.819.0, Azure AD Connect provides you with a wizard to configure hybrid Azure AD join. The wizard enables you to significantly simplify the configuration process. For more information, see:
- Configure hybrid Azure Active Directory join for federated domains (not in the scope of this blog)
- Configure hybrid Azure Active Directory join for managed domains
In this blog post ,we will see ,how to setup hybrid Azure AD for devices in managed domains (Non-Federated) .
Note: This guide is purely for Lab purpose as it doesn’t cover on firewalls ,proxy exceptions and other stuff that you have in production.
Following is my lab configuration:
DC01: Domain Controller running on Windows server 2012 R2 and is installed with latest Azure AD connect to sync objects to Azure AD.
CM01: Primary Site (SCCM 1802 ) running on windows server 2012 R2 which will be configured later with Co-management once our hybrid azure AD join done.
CM02: Running on windows server 2012 R2 for cloud management gateway.
All Windows 7 and windows 10 are joined to domain (apac.eskonr.com)
What is the configuration we need in order to get domain joined windows 7 and windows 10 clients into Azure AD ?
We will use Azure AD connect and enable 2 options primarily a) Configure device options 2) Enable Seamless SSO .
This guide assumes that ,you already have working environment with domain controller (no ADFS) ,Azure AD connect configured ,SCCM 1710 and above (if you want co-management else ignore it),office 365 subscription with Azure AD P1 (for Conditional Access) or above license and intune license.
Prerequisites:
1. You will need the latest version of Azure AD Connect (1.1.819.0 or higher) to be installed.
2.Make sure that Azure AD Connect has synchronized the computer objects to Azure AD.
If the computer objects belong to specific organizational units (OU), then these OUs need to be configured for synchronization in Azure AD connect as well.
How to check if the computer OU has been synced or not ?
Login to server that has Azure AD connect installed .In my case, it is my DC01 (domain controller) .If you have installed Azure AD connect on different server ,login to that to make the changes.
Launch Azure AD Connect, and then click Configure ,you will see following screen.
Choose customize synchronization options and click next
On the Connect to Azure AD page, enter the credentials of a global administrator for your Azure AD tenant.
Click Next to configure the Computer OU sync
In domain and OU filtering, you can verify the computer OU is selected for syncing or not. If not selected, then choose the computer OU and click next ,next ,configure to apply changes and close the wizard.
This conclude that, our prerequisite step is checked.
3. If you have firewall /proxy then you need the devices to have access to the following Microsoft resources from inside your organization's network:
- https://enterpriseregistration.windows.net
- https://login.microsoftonline.com
- https://device.login.microsoftonline.com
- https://autologon.microsoftazuread-sso.com (If you are using or planning to use Seamless SSO ,in my case ,I am using it)
Note: If your organization requires access to the Internet via an outbound proxy, starting with Windows 10 1709, you can configure proxy settings on your computer using a group policy object (GPO). If your computer is running anything older than Windows 10 1709, you must implement Web Proxy Auto-Discovery (WPAD) to enable Windows 10 computers to do device registration with Azure AD.
If your organization requires access to the Internet via an authenticated outbound proxy, you must make sure that your Windows 10 computers can successfully authenticate to the outbound proxy. Because Windows 10 computers run device registration using machine context, it is necessary to configure outbound proxy authentication using machine context. Follow up with your outbound proxy provider on the configuration requirements.
In my lab ,I don’t have any proxy and direct connection is allowed, I don’t need to configure any of the above URL’s.
Now we will run through hybrid Azure AD join setup:
Launch Azure AD Connect, and then click Configure
On the Additional tasks page, select Configure device options, and then click Next.
On the Overview page, click Next.
On the Connect to Azure AD page, enter the credentials of a global administrator for your Azure AD tenant.
On the Device options page, select Configure Hybrid Azure AD join, and then click Next.
On the SCP page, for each forest you want Azure AD Connect to configure the SCP, select the forest ,Select the authentication service and click Add and enter the enterprise administrator credentials (on-prem domain). If no enterprise admin credentials are available you may have to make some manual changes via adsiedit.msc. You may refer to here for more details.
On the Device operating systems page, select the both options (for windows 7 and windows 10 operating systems used by devices in your Active Directory environment ), and then click Next.
If you do not have windows 7 then ‘supported windows down-level domain-joined devices’ is not required.
On the Ready to configure page, click Configure.
On the Configuration complete page, click Exit.
Once this is done ,SCP object may have already been created. You can verify the existence of the object and retrieve the discovery values using the following Windows PowerShell script:
On your Azure AD connect that is installed or domain controller, run the following powershell script
You only required to change your domain details (bold letters that is my domain apac.eskonr.com).
$scp = New-Object System.DirectoryServices.DirectoryEntry;
$scp.Path = "LDAP://CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=apac,DC=eskonr,DC=com";
$scp.Keywords;
As you can see below, my Azure AD ID and domain are registered.
If you don’t like script and like GUI then you can open adisedit.msc and run through the following setting to verify the SCP records.
Once the Azure AD sync happens successfully (for the OU that you configured),you should be able to see user certificate attribute for all windows 10 computers that are configured in Azure AD sync OU option.
This user certificate must be appeared in device attribute properties as this is mandatory for before the device hybrid Azure AD join.
Go to your AD users and computers (dsa.msc)
Click on View and enable Advanced features
Now to the windows 10 PC (not applicable to windows 7) that is configured to sync in Azure AD connect ,right click on properties ,click on attribute editor ,scroll down to see usercertificate.
With this we completed one of the prerequisite required for hybrid Azure AD join.
As I said in the beginning ,Seamless Single Sign-On is also one of the requirement for hybrid Azure AD join for non-federated domains.
How to Enable Seamless SSO through Azure AD Connect ? Please Continue to read Part 2 of this series.
Reference guides:
https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-managed-domains
https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso-faq
2 Comments
Question: What will happen to the clients after the azure ad hybtid join configuration is set? What will the clients that are scoped within the OU we specified to sync out to AAD? And what will happen to the rest of the clients not scoped if they find the SCP?
hi ,
In what way you ask for it ? There will not be any changes to client information in Active Directory and also configuration changes to clients in AD .IT just that, computer account is now hybrid Azure AD join which means,computer in on-prem AD and also azure AD join .This is basically to prevent any non-domain join PCs to connect to office 365 and using conditional access.
Thanks,
Eswar