Forum Discussion
AD Connect Alternate ID + Intune Auto Enrollment
Hello,
Currently a client is using Multiple forests: account-resource forest AD Connect topology. When AD Connect was setup the Alternate ID was set to use the mail attribute as the UPN in Azure AD. So the users on-prem UPN is user@domainA.com and in Azure AD it is user@domainB.com.
I am trying to setup up Hybrid AD Joined Devices to auto enroll in Intune using GPO.
The issue I am coming across is that when they log onto the Hybrid AD Joined device they are using the account with the on-prem UPN which doesn't match the UPN in Azure AD.
dsregcmd /status is showing
IsUserAzureAD: NO
SSO Stated AzureADPrt: No
So the device isn't able to enroll in Intune because the users UPNs do not match.
Has anyone come across this before and found a solution?
I thought of using Azure AD Alternant login, but Hybrid AD Joined devices is not supported.
Sign-in to Azure AD with email as an alternate login ID | Microsoft Docs
Thanks,
- Moe_KinaniBronze Contributor
Hi jdavis92,
This feature isn’t supported ‘enrolling Hybrid AAD join using GPO’, not sure if ever be supported.
I agree with my colleague above and my advice is matching the identity between the two environments, you don’t want to add more complexity to already complicated scenario (Mismatch Identity + Hybrid AD Join).
Hope this helps!
Moe - Niels_KokBrass ContributorI think you have answered your own question. The UPNs need to match to enroll the devices into Intune but I guess you wouldn't create this topic just for fun. So, why are your UPNs not matching?