Forum Discussion

jdavis92's avatar
jdavis92
Copper Contributor
Nov 20, 2021

AD Connect Alternate ID + Intune Auto Enrollment

Hello,

 

Currently a client is using Multiple forests: account-resource forest AD Connect topology. When AD Connect was setup the Alternate ID was set to use the mail attribute as the UPN in Azure AD. So the users on-prem UPN is user@domainA.com and in Azure AD it is user@domainB.com

 

I am trying to setup up Hybrid AD Joined Devices to auto enroll in Intune using GPO. 

 

The issue I am coming across is that when they log onto the Hybrid AD Joined device they are using the account with the on-prem UPN which doesn't match the UPN in Azure AD. 

 

dsregcmd /status is showing

IsUserAzureAD: NO

SSO Stated AzureADPrt: No

 

So the device isn't able to enroll in Intune because the users UPNs do not match.

Has anyone come across this before and found a solution?

 

I thought of using Azure AD Alternant login, but Hybrid AD Joined devices is not supported.

Sign-in to Azure AD with email as an alternate login ID | Microsoft Docs

 

Thanks,

 

  • Moe_Kinani's avatar
    Moe_Kinani
    Bronze Contributor

    Hi jdavis92,

    This feature isn’t supported ‘enrolling Hybrid AAD join using GPO’, not sure if ever be supported.

    I agree with my colleague above and my advice is matching the identity between the two environments, you don’t want to add more complexity to already complicated scenario (Mismatch Identity + Hybrid AD Join).

    Hope this helps!
    Moe

  • Niels_Kok's avatar
    Niels_Kok
    Brass Contributor
    I think you have answered your own question. The UPNs need to match to enroll the devices into Intune but I guess you wouldn't create this topic just for fun. So, why are your UPNs not matching?

Resources