Thought I’d make some notes around Azure AD Hybrid while the details are all bouncing around in my head.
What is Azure AD Hybrid?
A Windows device can be Domain joined, where you change it from a WorkGroup to a domain and authenticate against a domain controller, then the computer gets created in Active Directory. It can also be Azure AD joined, where you use your work account to join the device straight to Azure Active Directory. The later is the modern method, can only be done in Windows 10 as far as I know and really is only designed for someone who’s on the Microsoft 365 suite of products (think of InTune as a part of that ), and you either don’t need legacy on-prem connections, or can do some trickery around giving access to things where you’d historically use on-prem Active Directory authentication.
There is a third option though, that came out of the need for users to have connections to both worlds = Azure AD Hybrid. This lets you add a domain joined device to Azure AD at the same time, but needs to be done in that order. This is supported in Windows 10 (called Windows Current Devices) as well as Windows 7/8/8.1 (called down-level devices), but I’ve only tested this in Windows 10. There’s more work and steps to support down-level devices.
Why would I want Azure AD Hybrid?
There’s a bunch of reasons! A lot of the cool new features you can leverage for identity and devices coming out of Azure AD won’t work at or, or as nicely, on a pure domain joined device:
Windows Hello for Business
Seamless Single Sign-On (SSO) with Passthru Authentication (PTA)
Conditional Access
Windows Store for Business
Enterprise compliant roaming
Multi-factor Authentication
Conditional Access gives options for a better user experience rather than just forcing MFA in all scenarios. One of the options I like, is allowing an Azure AD Hybrid joined device to access a resource without anything beyond a password. This means that combined with Seamless SSO and PTA, a user can take their laptop anywhere, log onto Windows, and access resources without any other requirements. However, if they try to access a resource from another device, they’ll be challenged for another authentication method. Even better with Windows Hello for Business fingerprint or camera login, but that’s a whole other topic.
How To Set Up Azure AD Hybrid
I won’t go into too many details on this, as there’s excellent documentation already that covers both ADFS and non-ADFS users. Unless you already have ADFS, you most likely don’t need it, and it’s not the recommended method, as ADFS itself is much more complex (but fully works and is supported).
Very high level, the two steps are:
- Configure Azure AD Connect for Azure AD Hybrid Join using the setup/configuration wizard
- Enable “Register domain-joined computers as devices” via Group Policy under Computer Configuration > Policies > Administrative Templates > Windows Components > Device Registration.
That’s really it. Read the documentation though, there’s a lot to consider – but the end result should have no impact on users. They won’t know or see that their device is Azure AD Hybrid joined, and you can’t even see it (at the time of writing) via GUI settings.
How to see if a device is Azure AD Hybrid Joined
On a PC itself, you can run the command ‘dsregcmd /status‘ from a command prompt. The very first line of the results will show ‘AzureAdJoined : YES’ or ‘AzureAdJoined : NO’. Pretty straight forward! You’ll see a lot more information in the other results when it is joined.
You can also test if a device is Azure AD Joined with the PowerShell command ‘get-msoldevice -deviceId <deviceId>’ using the computer name as the deviceid. You’ll either get a result back or you won’t, again it’s pretty clear.
If it’s not joined and you want to work out why, it gets a bit tougher. There’s a great blog post here on troubleshooting, but you can always log a case with Microsoft to get some assistance.
I’m haven’t come across or read any reason to not set up Azure AD Hybrid, as long as you’re in a position where you’ve already got all users and devices syncing already. Seamless Single Sign-On and Passthru Authentication is a great reason in itself to head down this path, as the user experience is a lot nicer without the constant re-entering of passwords.
Hello Mate,
I’m basicly in the same situation, Thanks a lot for this post !
We are planning to implement conditional access to our office 365 tenant, we recently bought E3 plan ( 140 Licences )+EMS ( 140 Licences ), and we have on permise AD.
The idea is to restrict access to Office365 services ( exchange, Sharepoint, Teams…) to managed devices ( LAPTOPS+PHONES), i know we can set a location condition, but this is not an option for us, as our employees change locations constantly.
I just finished installing ProPlus version on all LAPTOPS ( i’m so happy to not deal with OEM licences anymore !! )
Please help me with this,, i’m new to azure i don’t want to mess with rules and lock up everything !
by the way, on azure Ad i see that all devices are marked as registred, and i have read somewhere that i need to change this status before joining them to hybrid azure AD. We only have Win 10 Pro and 3 DC in premise. What about non routable domain ? ours is contoso.lan when i run ad connect i get the warning .
thank you very much !
Hi Amine,
OK you’re on the right track and don’t overthink this too much. All you need is a Conditional Access rule that requires Azure AD Hybrid devices under the Access Controls > Grant area of a new policy.
Of course this’ll break the ability for mobile phones to log in, so you’ll probably need ‘Require device to be marked as compliant’ too in the same area.
Apply the setting just to yourself for testing too :)
Great stuff . I have a small query here. We currently have Azure AD connect installed with the older version which sync almost everything(All Users and All Computer objects). All the computers show as Hybrid AD join in Azure portal however they are actually not probably because we didnt have configured Hybrid Azure AD in Azure connect. Now we are actually doing a couple of stuff here in my organization. First is to update Azure AD connect and change the Federated domain to managed domain(PTA). Once the authentication method is changed, we will enable the Hybrid Azure AD join and this is what i am confused with. Lets say we configure the hybrid Azure AD join in Azure AD connect but we dont configure GPOs to enable/disable to Automatic registration. First question is do we actually require the GPOs to enable/disable automatic registration. Shouldn’t configuring the Hybrid Azure AD through Azure AD connect take care of it or do we have to have the GPOs in place to enable the automatic registration? Any help will be greatly appreciated. Thanks
this one doesnt appear on me
Enable “Register domain-joined computers as devices” via Group Policy under Computer Configuration > Policies > Administrative Templates > Windows Components > Device Registration.
Hi, Adam, Thank you for a great article.
I have a question for you: Do I understand right that Hybrid Azure AD joined computer is authenticated against an on-prems domain controller only?
Thank you in advance