Brian Reid – Microsoft 365 Subject Matter Expert

Configuring Hybrid Device Join On Active Directory with SSO

The instructions from Microsoft at https://docs.microsoft.com/en-us/azure/active-directory/device-management-hybrid-azuread-joined-devices-setup are missing some of the steps on setting up hybrid device join to Azure AD. This is a complete list of steps when Pass-Thru auth with SSO is enabled on the domain.

  1. Enable SSO – this is covered elsewhere. You can also do hybrid device join on a federated domain, though this is not covered here.
  2. On your AADConnect server ensure that the MSOnline PowerShell add in is installed – this is the AdministrationConfig-3.msi executable that is needed to run cmdlets like Get-MSOLUser. Is only supported by the MSOnline PowerShell module version 1.1.166.0. To download this module, use this link
  3. Open an administrative PowerShell
  4. cd 'C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep'
  5. Import-Module .\AdSyncPrep.psm1
  6. This will enable the AD module and import some scripts for device writeback and device registration. We are looking at device registration here
  7. $aadAdminCred = Get-Credential

    #Enter a global admin credential

  8. Initialize-ADSyncDomainJoinedComputerSync –AdConnectorAccount [connector account name] -AzureADCredentials $aadAdminCred

    #[connector account name] is the name of your domain (domain.local for example) as shown in the AADConnect Synchronization Service Manager –

  9. You should see the message “Initializing your Active Directory forest to sync Windows 10 domain joined computers to Azure AD.” followed by “Configuration Complete”. Errors about Azure Registration mean you are running the wrong version of the Azure AD PowerShell cmdlets
  10. The required settings in AD (for one forest) are now done. If you have multiple forests, return to the above referenced document and run the script to register the Devices Registration Configuration node to AD
  11. If you have conditional access available (have at least one Azure AD Premium licence assigned to your admin account) then you can add Trusted Sites to Azure AD to control where MFA prompts for device join will happen outside of. Add each office public NATed IP address with /32 (or whatever is needed at the end) into Azure Active Directory (under portal.azure.com) > Conditional Access > Named Locations > New Location
    image
  12. Add the same IPs to the “Configure MFA trusted IPs” link on the same page that you see the IP’s listed above
  13. Your list of devices under Azure Active Directory should now increase as users reboot Windows 10 1703 machines and later. See the above document about the GPO setting needed to role this out to older versions of Windows (Workplace Join settings)

Posted

in

, , , , ,

by

Brian Reid

Tags:

Comments

15 responses to “Configuring Hybrid Device Join On Active Directory with SSO”

  1. RKast avatar
    RKast

    I was encountering the problem that dcacls.exe was missing when tuning the ps1 script. Just copy paste from Windows server with AD tools.
    Question i have, do we need to enable device sync in ad connect for hybrid azure ad join?

    Thanks for this write up

    Reply
    1. Brian Reid avatar
      Brian Reid

      Add-WindowsFeature RSAT-AD-Tools

      The above is needed on the AAD Connect server for all the tools and scripts here. This puts AD PowerShell and dacls on the server in the correct manner. Would suggest you do this to “fix” any dependencies with the copy and paste of the actual file.

      I always put the AD RSAT tools on the AAD Connect server as there is always a use for ADUC (dsa.msc) on the server as you need to examine sync errors etc.

      Reply
    2. Brian Reid avatar
      Brian Reid

      Regards AD Device Writeback (if that is what you mean by device sync) then no. Write back takes devi es registered (not joined) to AAD and syncs them back to AD DS for ADFS based conditional access. The OU/container with the computers in for hybrid AD Join is required to sync if doing SSO auth, but not if doing ADFS/federated auth

      Reply
      1. RKast avatar
        RKast

        Thanks for your reply and answer! yes i mean Device writeback, so no need fo that , check.

        Reply
      2. Jeremy Hagan avatar
        Jeremy Hagan

        Hi,
        By SSO auth do you mean password hash sync? I’ve followed these steps and enabled the Device Registraiton policy in GPO, but the devices aren’t registering. I’m using PTA with Seamless Single-SignOn

        Reply
        1. Brian Reid avatar
          Brian Reid

          SSO Auth means “PTA with Seamless Single-SignOn”, or “PHS with Seamless Single-SignOn” Password hash sync on its own is not SSO

          Reply
      3. Neven avatar
        Neven

        Sorry if I’m being redundant, but your post and its comment section are the only place in the whole internet which comment on the necessity of device writeback for hybrid AAD join. So just to make sure: Setting up hybrid AAD join without AD FS (as per https://docs.microsoft.com/en-us/azure/active-directory/device-management-hybrid-azuread-joined-devices-setup) does *not* require an AAD P1 (or P2) license (including device writeback), the basic version that comes with our O365 subscription will do? Another confirmation would be very much appreciated! Thank you very much in any case!

        Reply
        1. Brian Reid avatar
          Brian Reid

          Hybrid AAD Join is not restricted to a licence version. You need AAD Premium to make use of the hybrid join (such as device groups and conditional access) but to actually add the devices to the directory does not require a licence, just an Azure Active Directory synced from AD.

          Reply
  2. RKast avatar
    RKast

    Sorry, 1 last question 🙂 in AD Connect we do not need to select the OU where the win10 devices are to sync to Azure/o365 ?

    Reply
  3. Brian Reid avatar
    Brian Reid

    Only if your auth method is SSO. If your auth method is ADFS then you do not (check my second answer above – “The OU/container with the computers in for hybrid AD Join is required to sync if doing SSO auth, but not if doing ADFS/federated auth”)

    Reply
    1. RKast avatar
      RKast

      Yes that sentence triggered me to ask and double check 🙂 Once again many thanks Brian. Keep up those fantastic blog Posts.

      Reply
  4. Emret avatar
    Emret

    Can someone help. I am getting below error:

    Initializing your Active Directory forest to sync Windows 10 domain joined computers to Azure AD.
    Get-ADRootDSE : The server has rejected the client credentials.
    At C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1:571 char:21
    + $rootDSEEntry = Get-ADRootDSE
    + ~~~~~~~~~~~~~
    + CategoryInfo : SecurityError: (:) [Get-ADRootDSE], AuthenticationException
    + FullyQualifiedErrorId : GetADRootDSE:BeginProcessing:InvalidCredentials,Microsoft.ActiveDirectory.Management.Commands.GetADRootDSE

    Get-ADRootDSE : The server has rejected the client credentials.
    At C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1:956 char:21
    + $rootDSEEntry = Get-ADRootDSE
    + ~~~~~~~~~~~~~
    + CategoryInfo : SecurityError: (:) [Get-ADRootDSE], AuthenticationException
    + FullyQualifiedErrorId : GetADRootDSE:BeginProcessing:InvalidCredentials,Microsoft.ActiveDirectory.Management.Commands.GetADRootDSE

    SearchADObject : Cannot bind argument to parameter ‘searchBase’ because it is an empty string.
    At C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1:959 char:27
    + return SearchADObject $schemaDN $oneLevelSearchScope ldapDisplayN …
    + ~~~~~~~~~
    + CategoryInfo : InvalidData: (:) [SearchADObject], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorEmptyStringNotAllowed,SearchADObject

    [ERROR] Active Directory Schema does not support container

    Reply
    1. Brian Reid avatar
      Brian Reid

      In the error it says “Active Directory Schema does not support container”. So what version of the schema are you running on AD? Your forest functional level will help here, but you can prep a forest for a later schema than the server of the AD servers you are running.

      Reply
  5. Sumit avatar
    Sumit

    Hi,
    I have successfully configured the hybrid azure AD environment and devices are showing hybrid azure AD join. But i am not able to login with the cloud user into the device which is hybrid azure AD join.
    Thanks,

    Reply
    1. Brian Reid avatar
      Brian Reid

      Sorry, I cannot help you here without more info. Error messages, event log, proxy status, firewall, what dsregcmd /status shows, what you have already done, what cloud auth type you are using, what your client version and patch level is etc… Sorry. Or give us a call for some consultancy rates, as the end to end pieces you need in place to get this to work now can be complex.

      Reply

Leave a Reply to Brian Reid Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.