Microsoft Entra Hybrid Join is an identity solution that allows devices to authenticate in both a Windows Server Active Directory domain and Microsoft Entra ID. This provides companies with the flexibility and security they need to effectively manage resources while ensuring a high level of security.

Microsoft Entra ID is built with global high availability. In conjunction with features such as seamless single sign-on (SSO) or Microsoft Entra Conditional Access, Microsoft Entra ID offers additional features that significantly increase security and can only be implemented at a high cost with a pure Windows Server Active Directory infrastructure.

With Microsoft Entra Hybrid Join, you get the best of both worlds (local and cloud) at the same time. The device has access to both Windows Server Active Directory and Microsoft Entra ID.

This blog article shows in detail the steps for configuring Microsoft Entra Hybrid Join.

Prerequisites and Licensing

Licenses

Microsoft Entra Hybrid Join does not require a paid license. A license from Microsoft Entra ID Free is sufficient. This license is part of every Microsoft Tenant.

Devices

The following requirements apply to the devices:

  • Windows 10 Pro or Enterprise
  • Windows 11 Pro or Enterprise

The devices have access to the following URLs:
https://enterpriseregistration.windows.net
https://login.microsoftonline.com
https://device.login.microsoftonline.com
https://autologon.microsoftazuread-sso.com

Software

To synchronize the organizational units with the device objects in Windows Server Active Directory, Microsoft Entra Connect or Microsoft Entra Cloud Sync is used.

Windows Server Active Directory

The following steps prepares Windows Server Active Directory to use with Microsoft Entra Hybrid Join.

Microsoft Entra Connect

Device options

Microsoft Entra Hybrid Join requires the following configuration in the device options area in Microsoft Entra Connect.

Select Device Options

Select Next

Establish a connection to Microsoft Entra ID through a global Administrator.

Select Configure Hybrid Azure AD Join (Microsoft Entra Hybrid Join).

Select Windows 10 or later domain-joined devices

The user to be specified here for the SCP (Service Connection Point) configuration must be a member of the Enterprise Administrators group. These permissions can be revoked after successful SCP configuration.

Configuration is ready, click Configure.

Microsoft Entra Connect is now prepared for Microsoft Entra Hybrid Join.

Synchronization options

All Active Directory organizational units with devices that are configured with Microsoft Entra Hybrid Join must be synchronized with Microsoft Entra Connect.

Select Configure device options

Establish a connection to Microsoft Entra ID through a global Administrator.

Connect to Active Directory.

Select all Active Directory organizational units that contain devices for Microsoft Entra Hybrid Join.

Select Next

Select Next

Configuration is ready, click Configure.

The configuration has been successfully completed.

Windows Server Active Directory Permissions

Microsoft Intune Connector requires access to all Windows Server Active Directory organizational units that contain devices for Microsoft Entra Hybrid Join. The following steps configure the access.

Right-click on the organizational unit and click Delegate Control.

Start the wizard with Next.

Add all servers where Microsoft Intune Connector is running.

Further configuration requires a custom task. Select Create a custom task to delegate.

Create the custom task on Computer Objects (1) with the permissions to Create (2) and Delete (3).

Select Full control

The configuration has been successfully completed.

Automatically register domain computers

Computers integrated into the Active Directory domain are automatically registered in the background with Microsoft Entra ID via the group policy.

Enable the Group Policy Register domain joined computers as devices in Computer Configuration > Policies > Administrative Templates > Windows Components > Device Registration.

Microsoft Entra ID

Microsoft Intune

MDM-URLs

For the deployment of devices with Microsoft Intune and Autopilot, the MDM URLs must be activated in the Microsoft Intune admin center (https://intune.microsoft.com).

Devices > Enroll devices > Windows enrollment > Automatic Enrollment

Enable MDM User Scope either for all or specific user groups.

Microsoft Intune Connector for Active Directory

On a Windows Server with access to the Windows Server Active Directory, the Microsoft Intune Connector is required. Download the Microsoft Intune Connector from the Microsoft Intune admin center (https://intune.microsoft.com).

Devices > Enroll devices > Intune Connector for Active Directory

Select Add (1) and Download the on-premise Intune Connector for Active Directory (2).

Copy the downloaded file ODJConnectorBootstrapper.exe to the server and start the installation.

After successful installation, select Configure Now.

Sign in to Microsoft Intune with a licensed Global Administrator or Intune Administrator. The global administrator role can be removed from the user after successful login if required.

The configuration is successfully completed after a short time.

The connection has been successfully established.

Devices > Enroll devices > Intune Connector for Active Directory

Microsoft Intune Configuration Profile

Joining the Active Directory domain is done via a Microsoft Intune Configuration Profile.

Microsoft Intune admin center (https://intune.microsoft.com)
Devices > Configuration profiles > Create > New Policy

  1. Platform: Windows 10 and later
  2. Profile typ: Templates
  3. Template name: Domain join

Enter Name, e.g. Domain Join

Fill out:

  1. Prefix for the computer names, e.g. ccl-
  2. Specify domain name, e.g. int.cloudcoffee.ch
  3. Specify organizational unit, e.g. OU=Computer,OU=CCL,DC=int,DC=cloudcoffee,DC=ch”

Assign profile to the devices.

“Check configuration and create with Create.

Functional check

Windows 10 and Windows 11 register themselves in Azure Active Directory. After about 10 minutes it can be checked.

or open Microsoft Entra ID > Devices > All devices in the Azure Portal (https://portal.azure.com)

Troubleshooting

If the device does not appear in Microsoft Entra ID as Microsoft Entra Hybrid Joined even after rebooting and waiting for 10 minutes, the following may help:


Folge mir auf LinkedIn und BlueSky, um stets über meine neuesten Beiträge auf dem Laufenden zu bleiben.

War dieser Beitrag hilfreich für dich? Zeige deine Begeisterung mit dem herrlichen Aroma eines frisch gebrühten Kaffees für mich!

Buy me a coffee