From Azure AD Registered devices to Hybrid Azure AD joined

Jonas Back · ‎Nov 24 2018

Very aware of the two technologies and how they differ/work and how to set u it up.

I inherited an old environment and they have all their Windows 10 devices Azure AD registered (not syncing OU with computer nor SCP etc setup).

I want to move to Hybrid Azure AD joined. I know the steps but I wonder what will happen to all the 800+ Windows 10 devices already registered?

Will they magically be replaced with Hybrid Azure AD joined objects in Azure AD? Will I get duplicate items? Do I need to do something on the client side or will daregcmd /status simply show YES?

Anyone done such switch?

adam deltinger · ‎Nov 24 2018

They aren’t domain joined today, right?
Just try doing one manually before you setup the SCP! You could also set GPO not to auto register on those you don’t want to do a test run on, if you want to setup the SCP beforehand!
I believe they will not duplicate! Not 100 % sure though

Adam

Jonas Back · ‎Nov 24 2018

Thanks for your quick reply.

They are on-premises AD joined + Azure AD Registered. I want to move to still on-premises AD joined + Hybrid Azure AD joined.

How do you manually Hybrid Azure AD join a client without creating the SCP record? This seems to be the first step in the guide: https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-manual-steps

For the record, we're running PSH+SSO.

Otherwise, the GPO to make sure the devices not to register automatically is a good idea: https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-control

KyleF645 · ‎Feb 27 2019

We have a very similar situation in my environment. What did you end up with?

Jonas Back · ‎Feb 27 2019

From 1607 it should work: https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-cur...

a work or school account was added prior to the completion of the hybrid Azure AD join. In this case, the account is ignored when using the Anniversary Update version of Windows 10 (1607).

But you will still see the Azure AD registered device in Azure AD.

From 1809, it will even remove the Azure AD registered device from Azure AD and remove it in the Windows 10 Settings: https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan#review-thin...

Any existing Azure AD registered state would be automatically removed after the device is Hybrid Azure AD joined.

This is what we've seen so far during our testing. Let us know how your testing goes.

KyleF645 · ‎Feb 27 2019

Thanks! So in your testing, devices below 1809 that were already registered in Azure AD are indeed successfully hybrid joining? Does that create a duplicate device in Azure AD?

Jonas Back · ‎Feb 27 2019

Correct, it seems to work (we use Conditional Access to require "Hybrid Azure AD joined" to access some cloud apps). However, you see duplicate devices in Azure AD (one that is Azure AD registered from before and one that is Hybrid Azure AD joined) and both of them seems to be active (there's a column saying ACTIVITY and it's recent on both). The client itself also sees itself as still Azure AD registered in Settings > Accounts > Access work or school. We tried removing the Azure AD registered device in Azure AD but the client does not remove itself locally in Settings so it's left there. Not very beautiful but at least it works and we focus to deploy 1809 so it all solves by itself.

Ru · ‎Jul 12 2019

@Jonas Back Just wanted to say thank you for this clarification as I am about to do this for my environment to prepare for an upgrade from O365 (with AD registered devices but not AAD Connect synced) to M365 (with hybrid join and AAD Connect synced). The documentation from Microsoft here says

If your Windows 10 domain joined devices are already Azure AD registered to your tenant, we highly recommend removing that state before enabling Hybrid Azure AD join.

without really explaining the result of not doing this. If the only consequence of this is a doubling up, that's no problem; we'll just delete the redunant ones from AAD via the Azure Portal.

Jonas Back · ‎Aug 14 2019

@Ru We have seen strange behaviors when running a device both Azure AD registered + Hybrid Azure AD joined at the same time when it comes to Conditional Access. For example if we set a rule in Conditional Access NOT to force MFA for Hybrid Azure AD joined it will still sometimes ask for MFA if the device is both.

So I still recommend making sure you don't end up there. Only way we found effective (without manual work on every client) - make sure to update them to 1809+ before starting.

symm_adrian · ‎Sep 27 2019

I'm trying to work through this today. I've set a GPO to set the SCP as I'm attempting a controlled setup against one machine. However, when sync the OU with the computer and the GPO is applied, the machine doesn't appear to do anything and the state of the machine doesn't change from Azure AD Registered to Hybrid Azure AD Joined. Any ideas?

Jonas Back · ‎Sep 28 2019

Have you enables Hybrid Azure AD Join in Azure AD Connect?

From Azure AD Registered devices to Hybrid Azure AD joined

From Azure AD Registered devices to Hybrid Azure AD joined

Re: From Azure AD Registered devices to Hybrid Azure AD joined

Re: From Azure AD Registered devices to Hybrid Azure AD joined

Re: From Azure AD Registered devices to Hybrid Azure AD joined

Re: From Azure AD Registered devices to Hybrid Azure AD joined

Re: From Azure AD Registered devices to Hybrid Azure AD joined

Re: From Azure AD Registered devices to Hybrid Azure AD joined

Re: From Azure AD Registered devices to Hybrid Azure AD joined

Re: From Azure AD Registered devices to Hybrid Azure AD joined

Re: From Azure AD Registered devices to Hybrid Azure AD joined

Re: From Azure AD Registered devices to Hybrid Azure AD joined

Products (65)

Special Topics (44)

Video Hub (444)

Most Active Hubs

Most Active Hubs

Video Hub

From Azure AD Registered devices to Hybrid Azure AD joined