Forum Discussion
Red Flag
Aug 05, 2020Iron Contributor
Hybrid AAD Join with non-routable UPNs on onpremise AD
Does Hybrid AAD Join support non-routable UPNs on local AD? The issue: all requirements for hybrid AAS Join are met except of routable UPNs on on-prem AD (no SF). Effect: device state is changing to Hybrid but devices don’t enroll automatically to Intune MDM (GPO in place). Are routable UPNs required to enroll to MDM?
AzureAdJoined : YES
EnterpriseJoined : NO
DomainJoined : YES
EnterpriseJoined : NO
DomainJoined : YES
IsDeviceJoined : YES
IsUserAzureAD : NO
PolicyEnabled : NO
PostLogonEnabled : YES
DeviceEligible : NO
SessionIsNotRemote : YES
CertEnrollment : none
PreReqResult : WillNotProvision
Michael Niehaus- any idea what's wrong with the enrollment?
- Moe_KinaniBronze ContributorIf the user is user@onmicrosoft.xyz.com, the answer, You can’t enroll it with GPO because it needs CNAME record in your DNS registrar to redirects enrollment requests to Intune servers. Otherwise, users trying to connect to Intune must enter the Intune server name during enrollment.
Hope this helps!
Moe
https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-enroll- Red FlagIron Contributor
Moe_KinaniHi Moe, thanks for reply.
This requirement is met, domain on AAD is configured properly (all green). The user name on AAD includes the verified domain BUT on AD the UPN doesn't include a routable domain. The AD Connect synchronizes the identities. All this works well. Only MDM enrollment doesn't happen.
- Moe_KinaniBronze ContributorAs mentioned, this piece not going to work because the domain in not routable. Primary UPN/ ProxyAddress attribute needs to match the verified domain so Intune can can validate the request.
If xyz.com is verified domain->The synced user needs to be user@xyz.com, primary upn NOT alias.
Moe