Microsoft Entra Hybrid Join is an identity solution that allows devices to authenticate in both a Windows Server Active Directory domain and Microsoft Entra ID. This provides companies with the flexibility and security they need to effectively manage resources while ensuring a high level of security.
Microsoft Entra ID is built with global high availability. In conjunction with features such as seamless single sign-on (SSO) or Microsoft Entra Conditional Access, Microsoft Entra ID offers additional features that significantly increase security and can only be implemented at a high cost with a pure Windows Server Active Directory infrastructure.
With Microsoft Entra Hybrid Join, you get the best of both worlds (local and cloud) at the same time. The device has access to both Windows Server Active Directory and Microsoft Entra ID.
This blog article shows in detail the steps for configuring Microsoft Entra Hybrid Join.
Prerequisites and Licensing
Licenses
Microsoft Entra Hybrid Join does not require a paid license. A license starting from Microsoft Entra ID Free is sufficient and included with every Microsoft tenant.
Devices
The following requirements apply to the devices:
- Windows 10 Pro or Enterprise
- Windows 11 Pro or Enterprise
The devices have access to the following URLs:
https://enterpriseregistration.windows.net
https://login.microsoftonline.com
https://device.login.microsoftonline.com
https://autologon.microsoftazuread-sso.com
Software
Microsoft Entra Connect is required to synchronize Active Directory organizational units with devices.
Roles Based on the Principle of Least Privilege
Microsoft Entra Hybrid Join is configured and managed using specific Microsoft Entra roles and on-premises Active Directory permissions.
| Role | Permission |
| Administrator privileges | Installing the Microsoft Intune Connector in the Active Directory environment |
| Intune Administrator | Registration and Management of the Microsoft Intune Connector for Active Directory |
| Hybrid Identity Administrator | Configuration of Microsoft Entra Connect |
Windows Server Active Directory
The following steps prepare the Windows Server Active Directory for Microsoft Entra Hybrid Join.
Microsoft Entra Connect
Device Options
Microsoft Entra Hybrid Join requires the following configuration in the Device Options section of Microsoft Entra Connect Sync.
Select Configure device options
Select Next
Sign in with a user account that has the Hybrid Identity Administrator role in Microsoft Entra ID.
Select Configure Hybrid Microsoft Entra join
Select Windows 10 or later domain-joined devices
To configure the Service Connection Point (SCP), a user account that is a member of the Enterprise Admins group is required. These permissions can be removed after the configuration is complete.
Configuration is ready, click Configure
The configuration has been completed successfully.
Synchronization Options
All Active Directory organizational units containing devices that are registered with Microsoft Entra Hybrid Join must be synchronized using Microsoft Entra Connect.
Select Customize synchronization options
Sign in with a user account that has the Hybrid Identity Administrator role in Microsoft Entra ID.
Connect to Active Directory
Select the Active Directory organizational units that contain devices registered with Microsoft Entra Hybrid Join.
Select Next
Select Next
Configuration is ready, click Configure.
The configuration has been completed successfully.
Microsoft Intune Connector for Active Directory
The Microsoft Intune Connector must be installed on a Windows Server with access to the Windows Server Active Directory. The connector can be downloaded from the Microsoft Intune admin center (https://intune.microsoft.com).
Devices > Device onboarding > Enrollment > Intune Connector for Active Directory
Select Add (1) and Download the on-premise Intune Connector for Active Directory (2).
Copy the downloaded file ODJConnectorBootstrapper.exe to the server and start the installation.
After successful installation, select Configure Now.
A user account assigned both the Intune Administrator role and a valid Microsoft Intune license is required for sign-in. After successful sign-in, the Intune Administrator role can be removed. For communication, the Intune Connector uses a managed service account, which is automatically created during installation.
The configuration is successfully completed after a short time.
The managed service account was created automatically.
The managed service account is visible in Active Directory under Managed Service Accounts.
The connection has been successfully established.
Devices > Device onboarding > Enrollment > Intune Connector for Active Directory
Write Access to Windows Server Active Directory
The Microsoft Intune Connector requires write access to all organizational units in the Windows Server Active Directory that contain devices registered with Microsoft Entra Hybrid Join. The following steps configure this write access.
Right-click the organizational unit and select Delegate Control.
Start the wizard with Next
Add all servers where Microsoft Intune Connector is running.
The next configuration step requires a custom task. Select Create a custom task to delegate.
Create the custom task for Computer objects (1) with the permissions Create (2) and Delete (3).
Select Full control
Click Finish to complete the configuration.
Automatically Register Domain-Joined Computers
Domain-joined computers are automatically registered with Microsoft Entra ID in the background via Group Policy.
Enable the Group Policy Register domain joined computers as devices in Computer Configuration > Policies > Administrative Templates > Windows Components > Device Registration.
Microsoft Intune
Automatic Enrollment
The MDM URLs are required to enable automatic device enrollment in Microsoft Intune. They direct devices to the appropriate MDM service during the sign-in process. The MDM URLs must be configured and enabled in the Microsoft Intune admin center.
Microsoft Intune admin center (https://intune.microsoft.com) > Devices > Device onboarding > Enrollment > Automatic Enrollment
Enable MDM User Scope either for all or specific user groups.
CNAME Validation
CNAME validation ensures that automatic device provisioning with Microsoft Intune works reliably. It verifies whether the public domain is correctly configured: the CNAME record enterpriseenrollment must point to enterpriseenrollment-s.manage.microsoft.com, and enterpriseregistration must point to enterpriseregistration.windows.net. If these DNS records are missing, automatic device enrollment in Microsoft Intune will fail.
Microsoft Intune admin center (https://intune.microsoft.com) > Devices > Device onboarding > Enrollment > CNAME Validation
Deployment Profiles
Deployment profiles in Microsoft Intune define how Windows devices are configured during the Windows Autopilot provisioning process. They specify, for example, whether a device is registered as Entra Joined or Entra Hybrid Joined. These profiles ensure a consistent and automated device setup. A prerequisite for using deployment profiles is that the devices have been previously registered with Windows Autopilot.
Microsoft Intune Admin Center (https://intune.microsoft.com) > Devices > Device onboarding > Enrollment > Deployment profiles
Select Create profile > Windows PC
Enter a profile name, for example: WDP_Entra_Hybrid_Joined
Configure the Out-of-Box Experience (OOBE) according to your organizational policies. Make sure the setting Join to Microsoft Entra ID as is set to Microsoft Entra hybrid joined.
Assign a device group that contains all devices intended to be registered via Microsoft Entra Hybrid Join.
Review the configuration and complete the setup by selecting Create.
The deployment profile has been successfully created.
Configuration Profiles
Joining the Active Directory domain is automated using a Microsoft Intune configuration profile.
Microsoft Intune admin center (https://intune.microsoft.com) >
Devices > Manage devices > Configuration > Create > New Policy
- Platform: Windows 10 and later
- Profile typ: Templates
- Template name: Domain join
Enter a profile name, for example: WCP-Domain-Join
Fill in the following values:
- Prefix for the computer names, e.g. ccl-
- Specify domain name, e.g. int.cloudcoffee.ch
- Specify organizational unit, e.g. OU=Computer,OU=CCL,DC=int,DC=cloudcoffee,DC=ch
Assign the profile to the devices
Define applicability rules according to your requirements
Verify the configuration and click Create to proceed
The configuration profile has been created successfully.
Functionality Check
Device
Windows devices now register with both Microsoft Entra and Active Directory. Approximately 10 minutes after registration, the status can be verified on the device using the following PowerShell command.
1 | dsregcmd /status |
The device status must show the following values:
- AzureADJoined: Yes
- DomainJoined: Yes
Microsoft Entra Admin Center
The device appears in the Microsoft Entra Admin Center with the registration status Microsoft Entra hybrid joined.
Microsoft Entra Admin Center (https://entra.microsoft.com) > Identity > Devices > All devices
Troubleshooting
If the device still does not appear with the status Microsoft Entra hybrid joined in the Microsoft Entra Admin Center after a restart and a waiting period of approximately 10 minutes, the following steps can support the troubleshooting process:
- Check the Event Viewer: Relevant entries can be found under Applications and Services Logs > Microsoft > Windows > User Device Registration.
- Further guidance is provided in the article Troubleshoot Microsoft Entra hybrid joined devices – Microsoft Entra ID | Microsoft Learn
Follow me on LinkedIn and Bluesky to always stay updated on my recent posts.
Was this post helpful to you? Show your enthusiasm with the delightful aroma of a freshly brewed coffee for me!
