Forum Discussion

Red Flag's avatar
Red Flag
Iron Contributor
Aug 05, 2020

Hybrid AAD Join with non-routable UPNs on onpremise AD

Does Hybrid AAD Join support non-routable UPNs on local AD? The issue: all requirements for hybrid AAS Join are met except of routable UPNs on on-prem AD (no SF). Effect: device state is changing to Hybrid but devices don’t enroll automatically to Intune MDM (GPO in place). Are routable UPNs required to enroll to MDM?

AzureAdJoined : YES
EnterpriseJoined : NO
DomainJoined : YES
IsDeviceJoined : YES

IsUserAzureAD : NO
PolicyEnabled : NO
PostLogonEnabled : YES
DeviceEligible : NO
SessionIsNotRemote : YES
CertEnrollment : none
PreReqResult : WillNotProvision
Michael Niehaus- any idea what's wrong with the enrollment?
    • Red Flag's avatar
      Red Flag
      Iron Contributor

      Moe_KinaniHi Moe, thanks for reply.

      This requirement is met, domain on AAD is configured properly (all green). The user name on AAD includes the verified domain BUT on AD the UPN doesn't include a routable domain. The AD Connect synchronizes the identities. All this works well. Only MDM enrollment doesn't happen.

      • Moe_Kinani's avatar
        Moe_Kinani
        Bronze Contributor
        As mentioned, this piece not going to work because the domain in not routable. Primary UPN/ ProxyAddress attribute needs to match the verified domain so Intune can can validate the request.

        If xyz.com is verified domain->The synced user needs to be user@xyz.com, primary upn NOT alias.

        Moe

Resources