Two Ways To Enable Hybrid AAD Join Mode For A Controlled Deployment

Question

[New&nbsp;#BlogPost] Bit of an interesting take on how to perform a controlled Hybrid AAD Join deployment and make the workstations ready for&nbsp;#Intune&nbsp;and&nbsp;#MEM&nbsp;depending on the OU selection in the Azure AD Connect Sync tool.Two Ways To Enable Hybrid AAD Join Mode For A Controlled Deployment – Shehan Perera [techBlog]#AzureAD&nbsp;#ModernWork&nbsp;#ModernDevices&nbsp;#Hybrid&nbsp;#Microsoft365

oryxway · Answer

Hi Shehan,I am now doing a Hybrid Azure AD join (OOBE) Autopilot of Windows 10 devices. I have Intune Connector installed for Hybrid AD join. Should I configure it in Azure AD Connect also for Hybrid AD Join? I am concerned what will happen if I enable it and will all the devices be migrated?Have few questions. I posted this in Intune forum also, but asking you directly since I came across your excellent article.1. For Autopilot having Intune Connector is not sufficient and should we enable Hybrid Azure AD configuration in AD Connect?2. The device is not joining the domain but I see the device in Azure even though I have specified in the configuration profile Hybrid Azure AD.3. If Hybrid Azure AD configuration needs to be enabled in Azure AD Connect server, then will this affect any devices OnPrem? I do not want thousand of machines moving to Azure AD.

shehanjp · Answer

Hi&nbsp;oryxway,&nbsp;Thanks for your comments about my article. I see you have few questions regarding the join mode and AAD connect. Please see my answers below.&nbsp;1. For Autopilot to complete, you don't need to enable Hybrid AAD Join (HAAJ) mode. You only need HAADJ if you have an On-Premises AD which you need your Autopilot'ed machines to be joined afterwards. If not, they will be joined as AAD Joined to Azure AD. If you need to add devices to On-prem and join as HAADJ to Azure AD, then create the Domain Join profile and make sure you assign the Autopilot'ing device group to it and install the Intune Connector in an On-prem server.&nbsp;2.&nbsp;Your 2nd question is not clear, is you can add a bit more details, that would be great 🙂&nbsp;3.&nbsp;If Hybrid Azure AD configuration needs to be enabled in Azure AD Connect server, then will this affect any devices OnPrem? I do not want thousand of machines moving to Azure AD.It depends on how you want to enable. How's your AD OUs syncing with Azure AD, sync scope that is?&nbsp;a - Do you have a set of OUs that's syncing only orb - Do you have your whole AD syncing with all the OUs?&nbsp;If a, then you can create another OU, add your devices and add to the AAD Connect sync scope so only those machines will get synced. And then enable the HAADJ in AAD Connect tool and perform a full sync. So only machines that are syncing will get the Azure AD SCP via the AAD Connect tool&nbsp;If&nbsp;b, then, again create another OU, add your devices which you need to be added as HAADJ and set the Azure AD SCP from a GPO, so only those machines will get added as HAADJ&nbsp;The steps are in my article anyway.&nbsp;Mainly HAADJ is best if your computers needs to get authenticated from the on-prem domain for various reasons (file shares, on-prem legacy apps etc.) If not its recommended to add devices to Azure AD join directly, but really either is fine.&nbsp;Good luck!Shehan.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;

oryxway · Answer

shehanjp&nbsp;Shehan,Thank you for you're response.&nbsp;Your Response1. For Autopilot to complete, you don't need to enable Hybrid AAD Join (HAAJ) mode. You only need HAADJ if you have an On-Premises AD which you need your Autopilot'ed machines to be joined afterwards. If not, they will be joined as AAD Joined to Azure AD. If you need to add devices to On-prem and join as HAADJ to Azure AD, then create the Domain Join profile and make sure you assign the Autopilot'ing device group to it and install the Intune Connector in an On-prem server.&nbsp;My Response - They are joining as AAD but I do not see them in Active Directory OU where we specifically have mentioned that these machines should be added with the delegation of permissions to both Intune Connectors as per this article.&nbsp;https://docs.microsoft.com/en-us/mem/autopilot/windows-autopilot-hybrid&nbsp;We have setup the Intune Connectors and delegated permissions. But, I dot see the objects in AD. Also, the machine keeps spinning and we got the following error "Something went wrong" and error code 80070774.&nbsp;Based on this error I went and checked, I checked this and we have both the Intune servers that are ACTIVE. But, one thing I noticed is that when we delegated permissions and gave full control as per the document above, I manually went and checked each server permissions and it had only special permissions and not full permissions as shown in this diagram. I just enabled full permissions here to see that would help when we rejoin.Question 2The device is not joining the domain but I see the device in Azure even though I have specified in the configuration profile Hybrid Azure AD.&nbsp;The object should be seen in the OU where we have delegated that these Autopiloted devices should be joining. I am not seeing the Object, so I wondered whether it could be due to the permissions which I have mentioned in my Question 1 response.&nbsp;&nbsp;Question 33.&nbsp;If Hybrid Azure AD configuration needs to be enabled in Azure AD Connect server, then will this affect any devices OnPrem? I do not want thousand of machines moving to Azure AD.It depends on how you want to enable. How's your AD OUs syncing with Azure AD, sync scope that is?&nbsp;a&nbsp;- Do you have a set of OUs that's syncing only orb&nbsp;- Do you have your whole AD syncing with all the OUs?&nbsp;Answer below:&nbsp;I am having only one OU where we have the Intune Connectors delegated.&nbsp;&nbsp;COMPUTERS&nbsp; &nbsp; &nbsp; AID&nbsp; &nbsp; &nbsp; BEC&nbsp; &nbsp; &nbsp; AutoPilot Domain Join ---- so only this OU under Computers OU that is getting synced.&nbsp;I tried doing the same process again and I see only this under devices but it is not showing up in AD OU where the object should go. And getting the same error message&nbsp;"Something went wrong" and error code 80070774. Based on one article, I was told to unassign the user from the device and try and it should work, but I tried unassigning the user and it did not do nothing nor it added to Endpoint.&nbsp;&nbsp;&nbsp;

shehanjp · Answer

Hi&nbsp;oryxway&nbsp;1. Have you created the Device Profile called "Domain Join"? This is where you specify the domain information.About the Intune Connector - My advice is to go through the Microsoft Official document and configure the permissions.&nbsp;2. Looks like you have the selected OU which has been set up for Autopilot, which is the controlled method.&nbsp;Hope you have seen this already&nbsp;Windows Autopilot Error Code: 80070774 | Steve Hardie&nbsp;Few things you can check -* Run dsregcmd /status on the users computer to understand the join mode&nbsp;Troubleshoot hybrid Azure Active Directory-joined devices - Microsoft Entra | Microsoft Docs* User who is enrolling the device needs to have proper licensing that covers Intune* MDM user scope should be&nbsp;Some&nbsp;or&nbsp;All&nbsp;and that should capture the end user who is enrolling the device* No proxy or firewall blocks&nbsp;Network endpoints for Microsoft Intune | Microsoft Docs&nbsp;Shehan.

oryxway390 · Answer

shehanjp&nbsp;Thank you.&nbsp;Yes, I am following the MS document for Autopilot. I have the Domain Join profile configured as per the requirements.&nbsp; Also, I have looked at that document. I ran the PS script from oofhours.com to see what is going on.&nbsp; Looks like it is the ODJConnector blob that is not being downloaded.&nbsp;So, there is connectivity issue. We have opened all the network requirements as per the Microsoft suggestions and URL.

Forum Discussion

Two Ways To Enable Hybrid AAD Join Mode For A Controlled Deployment

8 Replies

Resources