Forum Discussion
From Azure AD Registered devices to Hybrid Azure AD joined
From 1607 it should work: https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current
a work or school account was added prior to the completion of the hybrid Azure AD join. In this case, the account is ignored when using the Anniversary Update version of Windows 10 (1607).
But you will still see the Azure AD registered device in Azure AD.
From 1809, it will even remove the Azure AD registered device from Azure AD and remove it in the Windows 10 Settings: https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan#review-things-you-should-know
Any existing Azure AD registered state would be automatically removed after the device is Hybrid Azure AD joined.
This is what we've seen so far during our testing. Let us know how your testing goes.
| From 1809, it will even remove the Azure AD registered device from Azure AD
Sorry, I know this is old, but do you know how long this takes? I'm testing and my test machine now has two devices in Entra. One is "Microsoft Entra Registered" and one is "Microsoft Entra hybrid joined" and shows the registered date as "pending".Update: they both now show a date under "Registered". It is no longer pending. This machine just has two accounts now. Will it eventually delete the "Entra registered" account automatically?
This is a Windows 11 22h2 machine.
- Just for clarity. I had read through this thread and understood that if you execute on this process, a duplicate device would not be created in EntraAD if your Windows version was 1809+. It sounds like your result does not support this .
- It absolutely creates a duplicate account, but the "old" one does go away. It appears to go away after the first reboot, but I cannot state this with 100% certainty. But I've migrated about 20 devices so far and if you watch closely there is always a window in which there are two accounts; one which says "Registered" and one which says "Hybrid joined". The registered one will go away.
- Thanks! So in your testing, devices below 1809 that were already registered in Azure AD are indeed successfully hybrid joining? Does that create a duplicate device in Azure AD?
- Correct, it seems to work (we use Conditional Access to require "Hybrid Azure AD joined" to access some cloud apps). However, you see duplicate devices in Azure AD (one that is Azure AD registered from before and one that is Hybrid Azure AD joined) and both of them seems to be active (there's a column saying ACTIVITY and it's recent on both). The client itself also sees itself as still Azure AD registered in Settings > Accounts > Access work or school. We tried removing the Azure AD registered device in Azure AD but the client does not remove itself locally in Settings so it's left there. Not very beautiful but at least it works and we focus to deploy 1809 so it all solves by itself.
JonasBack Just wanted to say thank you for this clarification as I am about to do this for my environment to prepare for an upgrade from O365 (with AD registered devices but not AAD Connect synced) to M365 (with hybrid join and AAD Connect synced). The documentation from Microsoft here says
If your Windows 10 domain joined devices are already Azure AD registered to your tenant, we highly recommend removing that state before enabling Hybrid Azure AD join.
without really explaining the result of not doing this. If the only consequence of this is a doubling up, that's no problem; we'll just delete the redunant ones from AAD via the Azure Portal.
