Microsoft Entra Hybrid Join is an identity solution that allows devices to authenticate in both a Windows Server Active Directory domain and Microsoft Entra ID. This provides companies with the flexibility and security they need to effectively manage resources while ensuring a high level of security.
Microsoft Entra ID is built with global high availability. In conjunction with features such as seamless single sign-on (SSO) or Microsoft Entra Conditional Access, Microsoft Entra ID offers additional features that significantly increase security and can only be implemented at a high cost with a pure Windows Server Active Directory infrastructure.
With Microsoft Entra Hybrid Join, you get the best of both worlds (local and cloud) at the same time. The device has access to both Windows Server Active Directory and Microsoft Entra ID.
This blog article shows in detail the steps for configuring Microsoft Entra Hybrid Join.
Prerequisites and Licensing
Licenses
Microsoft Entra Hybrid Join does not require a paid license. A license from Microsoft Entra ID Free is sufficient. This license is part of every Microsoft Tenant.
Devices
The following requirements apply to the devices:
- Windows 10 Pro or Enterprise
- Windows 11 Pro or Enterprise
The devices have access to the following URLs:
https://enterpriseregistration.windows.net
https://login.microsoftonline.com
https://device.login.microsoftonline.com
https://autologon.microsoftazuread-sso.com
Software
To synchronize the organizational units with the device objects in Windows Server Active Directory, Microsoft Entra Connect or Microsoft Entra Cloud Sync is used.
Windows Server Active Directory
The following steps prepares Windows Server Active Directory to use with Microsoft Entra Hybrid Join.
Microsoft Entra Connect
Device options
Microsoft Entra Hybrid Join requires the following configuration in the device options area in Microsoft Entra Connect.
Select Device Options
Select Next
Establish a connection to Microsoft Entra ID through a global Administrator.
Select Configure Hybrid Azure AD Join (Microsoft Entra Hybrid Join).
Select Windows 10 or later domain-joined devices
The user to be specified here for the SCP (Service Connection Point) configuration must be a member of the Enterprise Administrators group. These permissions can be revoked after successful SCP configuration.
Configuration is ready, click Configure.
Microsoft Entra Connect is now prepared for Microsoft Entra Hybrid Join.
Synchronization options
All Active Directory organizational units with devices that are configured with Microsoft Entra Hybrid Join must be synchronized with Microsoft Entra Connect.
Select Configure device options
Establish a connection to Microsoft Entra ID through a global Administrator.
Connect to Active Directory.
Select all Active Directory organizational units that contain devices for Microsoft Entra Hybrid Join.
Select Next
Select Next
Configuration is ready, click Configure.
The configuration has been successfully completed.
Windows Server Active Directory Permissions
Microsoft Intune Connector requires access to all Windows Server Active Directory organizational units that contain devices for Microsoft Entra Hybrid Join. The following steps configure the access.
Right-click on the organizational unit and click Delegate Control.
Start the wizard with Next.
Add all servers where Microsoft Intune Connector is running.
Further configuration requires a custom task. Select Create a custom task to delegate.
Create the custom task on Computer Objects (1) with the permissions to Create (2) and Delete (3).
Select Full control
The configuration has been successfully completed.
Automatically register domain computers
Computers integrated into the Active Directory domain are automatically registered in the background with Microsoft Entra ID via the group policy.
Enable the Group Policy Register domain joined computers as devices in Computer Configuration > Policies > Administrative Templates > Windows Components > Device Registration.
Microsoft Entra ID
Microsoft Intune
MDM-URLs
For the deployment of devices with Microsoft Intune and Autopilot, the MDM URLs must be activated in the Microsoft Intune admin center (https://intune.microsoft.com).
Devices > Enroll devices > Windows enrollment > Automatic Enrollment
Enable MDM User Scope either for all or specific user groups.
Microsoft Intune Connector for Active Directory
On a Windows Server with access to the Windows Server Active Directory, the Microsoft Intune Connector is required. Download the Microsoft Intune Connector from the Microsoft Intune admin center (https://intune.microsoft.com).
Devices > Enroll devices > Intune Connector for Active Directory
Select Add (1) and Download the on-premise Intune Connector for Active Directory (2).
Copy the downloaded file ODJConnectorBootstrapper.exe to the server and start the installation.
After successful installation, select Configure Now.
Sign in to Microsoft Intune with a Global Administrator or Intune Administrator.
The configuration is successfully completed after a short time.
The connection has been successfully established.
Devices > Enroll devices > Intune Connector for Active Directory
Microsoft Intune Configuration Profile
Joining the Active Directory domain is done via a Microsoft Intune Configuration Profile.
Microsoft Intune admin center (https://intune.microsoft.com)
Devices > Configuration profiles > Create > New Policy
- Platform: Windows 10 and later
- Profile typ: Templates
- Template name: Domain join
Enter Name, e.g. Domain Join
Fill out:
- Prefix for the computer names, e.g. ccl-
- Specify domain name, e.g. int.cloudcoffee.ch
- Specify organizational unit, e.g. OU=Computer,OU=CCL,DC=int,DC=cloudcoffee,DC=ch”
Assign profile to the devices.
“Check configuration and create with Create.
Functional check
Windows 10 and Windows 11 register themselves in Azure Active Directory. After about 10 minutes it can be checked.
1 | dsregcmd /status |
or open Microsoft Entra ID > Devices > All devices in the Azure Portal (https://portal.azure.com)
Troubleshooting
If the device does not appear in Microsoft Entra ID as Microsoft Entra Hybrid Joined even after rebooting and waiting for 10 minutes, the following may help:
- Analyze Event Viewer for appropriate messages. Microsoft Entra Hybrid Joined entries can be found under Applications and Services Logs > Microsoft > Windows > User Device Registration
- Troubleshoot Microsoft Entra hybrid joined devices – Microsoft Entra ID | Microsoft Learn
Folge mir auf LinkedIn und lasse Dich über meine aktuellen Beiträge informieren.