Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Can anyone help fot setup of specific devices that is synced to hybrid azure ad join?

Brass Contributor

Hi, All

Can anyone know how to setup hybrid azure ad join devices not all computers but specific computers?

I tried to configure it that followed by Microsoft docs with select specific computer ou which own its computer ou to change hybrid azure ad join, but in this case all computers has changed to hybrid azure ad join , that is not my option, so anyone who knows how to configure hybrid azure ad join for specific computers, please give me guide. 

 

Thx

hwjin

8 Replies
best response confirmed by hongwoo_jin (Brass Contributor)
Solution

@hongwoo_jin You can configure specific PCs to hybrid join by using client side registry keys rather than setting up the hybrid join SCP in AADConnect - I use group policy preferences registry items to set these:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ\AAD\TenantId – REG_SZ – and set the value to your tenant ID (can be obtained from the Azure AD Overview screen)

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ\AAD\TenantName – REG_SZ – and set the value to your primary domain (again this can be seen on the Azure AD Overview screen).

@CoasterKaty  You mean I don't need to select and activate hybird azure ad join into aad connect server? I just only set those two registry keys which you mentioned before, then does it automatically also change that status to hybrid azure ad joined without setting hybrid azure ad on aad connect server.

 

I hope please give a full guide to followup if you are ok? I'm confusing it with just that information.

 

Thx

hongwoo

@hongwoo_jin You need to be syncing computer account as well as user accounts with Azure AD Connect Sync setup but no you don't need to configure hybrid domain join in AAD Connect, you just need those two registry keys on the windows 10 devices you want to be hybrid joined. Once they're set it should auto join by itself and you can monitor this with dsregcmd /status on the client, if you don't want to wait for it you can run dsregcmd /join.

@hongwoo_jin Please ignore the message asking to you call a phone number as it's a scam, I've notified the moderators to get it removed.

@CoasterKaty OK, Katy 

I'll ignore that message which you mentioned.

 

Some members mentioned it needs to edit inbound rules on editing synchronization rules in aad connect. Do you know that way? I'm confusing  how to edit it. 

 

Thx

Hongwoo

@hongwoo_jin I've not had to edit anything - I made sure devices were being synced as well as users (so they should appear in Azure AD > Devices with a status of "Pending") and then set the two registry keys on the computers I wanted hybrid joined, ran dsregcmd /join and they hybrid joined. I've got 500 devices hybrid joined with this method (as our network configuration is incompatible with configuring hybrid join using AADConnect)

@CoasterKaty 

I cannot see any devices as pending status in azure active directory devices, 

I created a domain controller then created o365 users syncing to o365 azure active directory using aad connect , then selected o365 users and speicific computer ou so that hybrid azure ad joined, I couldn't set hybrid azure ad join in aad connect. Can you give an advise to fix it?

As you mentioned before, if I can see devices in azure active directory on m365 portal, let me make group policy with which you gave two registry. I think you did setup MDM , no?

 

Thx

Hi, CoasterKaty

You're right, I did it on my test lab following by your answer.

Thx
1 best response

Accepted Solutions
best response confirmed by hongwoo_jin (Brass Contributor)
Solution

@hongwoo_jin You can configure specific PCs to hybrid join by using client side registry keys rather than setting up the hybrid join SCP in AADConnect - I use group policy preferences registry items to set these:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ\AAD\TenantId – REG_SZ – and set the value to your tenant ID (can be obtained from the Azure AD Overview screen)

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ\AAD\TenantName – REG_SZ – and set the value to your primary domain (again this can be seen on the Azure AD Overview screen).

View solution in original post