Hybrid Azure AD Join Configuration and Troubleshooting Guide

Configuring hybrid Azure AD join involves creating a trust between your on-premises Active Directory and Azure Active Directory. This trust allows users to access resources in both environments.

To establish a hybrid Azure AD join, you need to configure Azure AD Connect to synchronize user and group objects between your on-premises Active Directory and Azure Active Directory.

Azure AD Connect is a prerequisite for hybrid Azure AD join, and it's essential to install and configure it correctly to ensure a smooth experience.

Preparing for Automatic Hybrid Azure AD Join requires some setup, but don't worry, it's not rocket science. You need to be familiar with device identity management in Azure Active Directory.

To get started, you'll need to install Azure AD Connect on a Windows Server that will serve as your sync server. This involves downloading the AzureADConnect.msi file, launching it, and following the installation prompts.

Next, configure your device options by running Azure AD Connect, selecting Configure device options, and specifying your Azure AD global administrator credentials. You'll also need to configure Hybrid Azure AD join and specify the device operating systems.

Before implementing hybrid Azure AD join, make sure your environment meets the requirements. This includes having Access Manager 4.5 Service Pack 1 or later installed, a federation established between Access Manager and Office 365 domain, and Azure AD Connect set up for Active Directory synchronization with Azure AD.

Here are the specific tasks you need to complete to prepare for automatic hybrid Azure AD join:

You can also refer to the following prerequisites for automatic hybrid Azure AD join:

By following these steps and meeting the requirements, you'll be well on your way to implementing automatic hybrid Azure AD join in your organization.

If the hybrid Azure AD join is not working as expected, you can use the Event Viewer logs to locate the phase and error code for the join failures. Look for events with the event IDs 304, 305, and 307 in the User Device Registration event logs.

To find the phase of the join failure, look for the "Previous Registration" subsection in the "Diagnostic Data" section of the join status output. The "Error Phase" field denotes the phase of the join failure.

If the device is unable to Microsoft Entra hybrid join, you can use the "DRS Discovery Test" in the "Diagnostic Data" section of the join status output to find the suberror code for the discovery error code.

Here are some common error codes and their resolutions:

To set up Windows Autopilot and Microsoft Intune, you'll need to follow these steps. Set up Windows Autopilot and Microsoft Intune in Azure AD by deploying hybrid Azure AD-joined devices using Intune and Windows Autopilot. This involves downloading the Intune Connector installer using the Microsoft Edge browser, although Microsoft Server 2016 doesn't support Edge.

You can use Windows 10 to download the installer and copy it to the appropriate server. Assign licenses to the appropriate users in the Azure portal, including at least Enterprise and Mobility + Security (Intune) and Office 365 licensing. This will ensure that your devices can be managed and secured.

Once the setup is complete, test the configuration by checking the Windows 10 device status. Wait for the Windows 10 device to become Hybrid Azure AD Joined, which can take up to 30 minutes to synchronize with Azure AD. It might take another 30 minutes or more for the device to complete the Hybrid Azure AD join after it's synchronized.

You can check the device status by using the command line dsregcmd /status on the Windows 10 device. Alternatively, you can check the device status in the Azure portal, where it will appear under Azure Active Directory - Devices after it's been synchronized.

For a user to logon and authenticate to an AD joined device, that device needs to have network access to a domain controller.

This means remote users must utilize a VPN or similar means to authenticate and connect to the organization's on-premises resources.

Users can still logon locally if they have previously cached credentials but cannot access on-premises corporate resources without network access.

Azure-AD-joined devices only need access to authenticate against Azure AD in the cloud, eliminating the need for network access to a domain controller.

Azure AD authentication has some challenges of its own, and you should ensure it supports all your critical business applications.

Active Directory vs Azure Active Directory: What's the Difference?

Active Directory (AD) and Azure Active Directory (Azure AD) are two different infrastructure types that serve the same purpose: to manage user identities and access to resources. However, they have distinct differences.

One key difference is that traditional Active Directory is on-premises, while Azure AD is cloud-based. This means that Azure AD requires premium licensing, whereas traditional AD does not.

If you're considering a cloud-only organization, Azure AD is the way to go, as it's specifically designed for cloud-only environments. On the other hand, traditional AD is suitable for hybrid environments.

When it comes to supported operating systems, traditional AD supports Windows 7 and 8.1, while Azure AD supports Windows 10 and 11.

Here's a breakdown of the three device trust options:

As you can see, each device trust option has its own set of requirements and restrictions. It's essential to choose the right option for your organization's specific needs.

Authentication is a crucial aspect of Active Directory, allowing users to access resources with ease. This is achieved through the creation of an object in your on-premises AD DS for Identity and Access management (IAM) of your organization's accounts, user devices, and servers.

For users to logon and authenticate to an AD joined device, that device needs to have network access to a domain controller. This is a requirement for remote users, who must utilize a VPN or similar means to authenticate and connect to the organization's on-premises resources.

Users can still logon locally if they have previously cached credentials but cannot access on-premises corporate resources without network access. This highlights the importance of a stable network connection for seamless authentication.

Azure-AD-joined devices, on the other hand, only need access to authenticate against Azure AD in the cloud. This eliminates the need for access to a domain controller, making it a more flexible option for remote users.

Primary Refresh Tokens (PRT's) can be issued to devices that are Azure-AD-joined or hybrid Azure-AD-joined to add device-specific claims and provide additional Seamless Single Sign-on (SSO) functionality to Azure AD resources.

To install and configure Azure AD Connect on your on-premise Active Directory, you'll need to follow these steps.

First, select the checkbox next to the domain name in the SCP window. This is a crucial step in integrating Azure AD with your on-premise Active Directory.

Next, choose the IBM Security Verify tenant name for Authentication Service and click Add. This will enable you to use the IBM Security Verify tenant for authentication.

Now, you'll need to specify the On-premise Active Directory domain Admin credentials. This requires the Windows AD Server administrator user's credentials.

Enter the Admin credentials and click Next to proceed with the installation. Make sure to enter the correct credentials to avoid any issues during the installation process.

To implement hybrid Azure AD join, you'll need to complete several prerequisites first. Be familiar with device identity management in Azure Active Directory and review supported devices, including Windows current versions. You should also review things you should know and on-premises AD UPN support for hybrid Azure AD join.

Your environment must meet specific requirements, including installing Access Manager 4.5 Service Pack 1 or later, establishing a federation between Access Manager and Office 365 domain with appropriate subscriptions, and setting up Azure AD Connect for Active Directory synchronization with Azure AD.

Here are the key requirements in a concise list:

The precheck phase is a crucial step in the hybrid Azure AD join process, where the device checks its environment to ensure it can successfully join Azure AD. This phase can be a bit tricky, but don't worry, I've got you covered.

A possible reason for failure during the precheck phase is if the device has no line of sight to the domain controller. This can cause issues with the device's ability to authenticate with Azure AD.

To troubleshoot errors during the precheck phase, you can refer to the following table:

By checking these potential error codes and resolutions, you can quickly identify and fix any issues that may be preventing your device from successfully completing the precheck phase.

The discover phase is a crucial step in the hybrid Azure AD join process. It can be frustrating when it fails, but don't worry, we'll go through the common causes and resolutions.

The service connection point object might be misconfigured or can't be read from the domain controller, which can cause the discover phase to fail. This can be resolved by referring to the Configure a service connection point section.

To troubleshoot the issue, you can look for the DRS Discovery Test in the Diagnostic Data section of the join status output. This section is only displayed if the device is domain-joined and unable to Microsoft Entra hybrid join.

Here are some common error codes and their resolutions:

To set up Windows Autopilot and Microsoft Intune, you'll need to follow these steps. First, you'll need to set up Windows Autopilot and Microsoft Intune in Azure AD, which involves downloading the Intune Connector installer using the Microsoft Edge browser.

However, if you're using Microsoft Server 2016, you won't be able to use Edge, so you can use Windows 10 to download the installer instead.

To proceed, you'll need to assign licenses to the appropriate users in the Azure portal, which should include Enterprise and Mobility + Security (Intune) and Office 365 licensing.

Here's a step-by-step guide to setting up Windows Autopilot and Microsoft Intune:

To configure SPN and keytab for Kerberos authentication, you'll need to ensure that your Active Directory is properly set up for Kerberos Single Sign-On (SSO).

Kerberos authentication relies on a device's ability to access a domain controller, which can be a challenge for remote users. For Azure-AD-joined devices, however, authentication is handled by Azure AD in the cloud, eliminating the need for domain controller access.

To configure SPN and keytab, you'll need to create a keytab file that contains the Service Principal Names (SPNs) for your application. This file will be used to authenticate users and grant access to resources.

The keytab file should contain all the necessary SPNs, including any additional ones required for Federating multiple domains for Microsoft 365. This is crucial for ensuring seamless authentication and access to resources.

To upload the keytab file, you'll need to follow these steps:

After saving the keytab file, you'll see the sha256 checksum of the uploaded file displayed. This is an important step in verifying the integrity of the keytab file and ensuring that it's properly configured for Kerberos authentication.

To create a new Microsoft 365 application using WS-Federation, you'll need to follow these steps.

First, log in to the IBM Security Verify Admin portal.

Click Applications and then click Add application.

Select Microsoft 365 from the Select Application Type list and click Add application.

Fill in the information on the General tab.

Click the Sign-on tab and select WS-Federation for Sign-on method. Provider ID and WS-Federation end point of the application are not changed. Ensure that the correct certificate is selected for Signature Certificate.

To map attributes, select the attribute to be used for Name identifier under SAML subject and the attributes to be used for UPN and ImmutableID under Attribute mappings. Additional attribute mappings can be added here if needed.

To configure the keytab file, click Select keytab file and select the keytab file to use.

In the Service principal names section, enter the SPN to use. If Federate multiple domains for Microsoft 365 is checked, multiple SPNs can be added.

Remember, the keytab file must contain all the SPNs.

Finally, click Save button at the bottom right of the page and configure the Access Type at Entitlements tab.

To retrieve the PRT status, open a Command Prompt window in the context of the logged-in user. Run the command dsregcmd /status to get the PRT status.

The "SSO state" section provides the current PRT status. If the AzureAdPrt field is set to NO, there was an error acquiring the PRT status from Microsoft Entra ID.

If the AzureAdPrtUpdateTime is more than four hours, there's likely an issue with refreshing the PRT. Lock and unlock the device to force the PRT refresh, and then check to see whether the time updates.

To troubleshoot issues with the PRT refresh, you can check the following:

Note: If you're still experiencing issues with the PRT refresh, you may need to troubleshoot further or seek additional support.

You can control what devices can join to Azure AD automatically by using a group policy. To achieve this, you need to follow the steps mentioned in Controlled validation of hybrid Azure AD join. This process is crucial for ensuring that only authorized devices can join the Azure AD.

To configure a federated Azure AD domain, you'll need to open the IBM Security Verify Admin portal and click on Applications. From there, create a new Microsoft 365 application or select an existing one.

To configure Azure AD Connect for hybrid Azure AD join, you need to launch Azure AD Connect by double-clicking the desktop icon and then click Configure. This will take you through the necessary steps to set up hybrid Azure AD join.

The steps to configure Azure AD Connect for hybrid Azure AD join involve clicking Next multiple times, entering AzureAD Admin credentials, and selecting Configure Hybrid Azure AD join. The name displayed on the OneDrive notification is the AzureAD tenant name.

Here are the steps to configure Azure AD Connect for hybrid Azure AD join:

To configure Controlled validation of hybrid Azure AD join, refer to the Microsoft document on Controlled validation of hybrid Azure AD join.