Hybrid Azure AD joined device not enrolling into Intune

When a Windows device is Hybrid Azure AD joined but does not automatically enroll into Intune, the issue is usually related to the MDM enrollment configuration rather than the join itself. A few key points to check:

MDM User Scope

Ensure the MDM user scope in Intune is set to All or includes the users you expect to enroll.

This setting is found under Microsoft Intune → Device enrollment → Enrollment restrictions → MDM user scope.

Auto-enrollment GPO

Hybrid Azure AD joined devices require the Enable automatic MDM enrollment using default Azure AD credentials Group Policy.

This GPO must be applied to the OU containing your devices. Without it, the device will join Entra ID but never trigger Intune enrollment.

Licensing

Verify the user has a valid Intune license (Microsoft 365 E3/E5 or standalone Intune).

The device will not enroll if the assigned user lacks an Intune license.

Conditional Access Policies

Ensure Conditional Access policies are not blocking the enrollment service.

Excluding “Microsoft Intune Enrollment” from CA is correct, but also confirm no other CA rules are interfering. Co-management prerequisites

If you are using MECM (SCCM) with co-management, confirm that the Co-management configuration is enabled and workloads are set to Intune where needed.

The log entry EnrollmentUrl = (null) typically indicates the auto-enrollment policy is missing or not applied.

Troubleshooting

Run dsregcmd /status on the client to confirm Hybrid Azure AD join status.

Check Event Viewer → Applications and Services Logs → Microsoft → Windows → DeviceManagement-Enterprise-Diagnostics-Provider for enrollment errors.

Force enrollment with:

deviceenroller.exe /c /AutoEnrollMDM

If this fails, it usually confirms the GPO is not applied.